Folder Permissions Issue

We have a 2008 R2 file server. It has a share in which only Domain Admins have full control. Domain Users have Read and execute, Lister Folder content and Read.  The only other group in the list that has full control is the local administrators. However we discovered that our domain users can write to this folder. When we test effective permissions, the domain users group is correct. But if we test effective permissions for any individual user, they have full control. We are quite baffled at this point.
gglollcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gglollcAuthor Commented:
I forgot to mention that the Share permissions are Change and Read for Everyone.
0
zalazarCommented:
Could you double check if "CREATOR OWNER" is also in the NTFS security.

In the past the default Windows permissions of a formatted drive included "CREATOR OWNER" in combination with "Users Special"
Where "Users  Special" gets "Create files / write data, Create folders / append data".
In combination with CREATOR OWNER it gives permissions to write files and create folders.
If the share permissions are change then this gives any user with read permissions on the directory the possiblity to create files and folders. On every file or folder created by the user the user gets full control.
0
gglollcAuthor Commented:
Thanks but that group is not in there. The groups in the list are SYSTEM, Domain Admins, Domain Users, local Admins, local users, backup operators.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

zalazarCommented:
Thanks for the info.
Could you maybe open a command prompt (cmd.exe) on the server and execute the following command:
cacls <directory> /s

Open in new window

where <directory> is the name of the directory you are sharing, e.g. D:\Data\Department1
cacls "D:\Data\Department1" /s

Open in new window

and then post the info here.
/s will display the SDDL string
0
gglollcAuthor Commented:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\administrator.GGLO>cacls "G:\data\drafting" /s
G:\data\drafting "D:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;0x1200a9;;;DU)(A;
OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)(A;OICI;0x1301bf;;;BO)"


C:\Users\administrator.GGLO>
0
zalazarCommented:
Thanks for posting. The security looks indeed fine.
Did you already double check the Domain Admins, Administrators and Backup Operators group for unknown groups or users ?
0
gglollcAuthor Commented:
Yes, we have other shares with the same groups and when I check effective permissions for an individual users the do not have full control.
0
Michael MachieFull-time technical multi-taskerCommented:
First:
Double check not only the Advanced (NTFS) Sharing and Security settings individually, but also the Simple Sharing settings. It is very important to use one or the other, preferably NTFS Sharing and Security. Using both NTFS and Simple permissions at the same time causes all sorts of 'wonkiness' and can allow 'non-visible' permissions breaches.

Check to make sure the folders do not have Simple Sharing turned on:
NotShared.PNG
Make sure you are only using Advanced Sharing (NTFS):
AdvancedSharing.PNG
Once during a Domain upgrade my co-worker used Simple while I was using Advanced. He kept enabling Simple and setting permissions. Meanwhile, when I was setting up access everything was messed and Ownership was even lost. By disabling Simple and rebuilding Advanced permissions, including manually specifying Ownership, I resolved it.
 
Second:
Did you by chance perform any migration processes or manipulate the folder, or permissed Users/ Groups, with a script? For instance Robocopy or something of the like? Although uncommon, permissions can be affected when using those tools.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zalazarCommented:
Thanks for the info.
In addition of checking the effective permissions I also would prefer to check the groups itself.
From the question I understand the share is setup on a fileserver and I assume it's a member server.
Could you then open Administrative Tools\Computer Management
Open the "Local Users and Groups\Groups" and open the "Backup Operators" and "Administrators" group and look for unknown user accounts and groups. For every group that is listed the corresponding group should be checked individually, locally or on the Active Directory domain.
Please also check the "Domain Admins" group and do a similar check.

You could also try to check an individual file where according to your check the user has full control on.
Can you check if the NTFS file permissions do look the same as the directory permissions ?
0
gglollcAuthor Commented:
Machienet,

Once I figured out how to turn off simple sharing by turning off the sharing wizard in Folders options, then setting advanced sharing, this worked. It also appeared that in advanced sharing Everyone had full control by default. I removed Everyone and added domain users and domain admins with the appropriate permissions. Thanks!
0
Michael MachieFull-time technical multi-taskerCommented:
Glad it is all worked out.
0
zalazarCommented:
Good to see it's solved.
I'm just interested on how you investigated the share permissions earlier.
"Share permissions are Change and Read for Everyone".
Would you be able to let me know ?
0
gglollcAuthor Commented:
Zalazar, thank you for your interest and help. I am not sure exactly what you are asking, but I had previously double checked all of the groups before I posted this question.

The Share permissions were selected under the Properties - Share button.
0
zalazarCommented:
Thanks for your feedback.
What I meant was about your second post about the Share permissions but this simple file sharing is so foggy and not very well documented that it's difficult to fully understand. Anyway, I'm glad it's solved.
1
Michael MachieFull-time technical multi-taskerCommented:
Zalazar, the permissions set via the Share button as seen in my screenshot relate to the Simple Sharing method. Using the Simple method is not very secure with no granular control. It's kind of like a very basic security, such as having a key (key=permissions) to an apartment building main door and all of the apartments are either unlocked or use the same key. This is enabled and disabled via two methods - using the button as seen in the screenshot above, OR, via the Folder options in Control Panel - Folder options - (check/uncheck) Use Simple File Sharing. In Vista it is called Sharing Wizard or something to that effect.

Advanced sharing uses NTFS permissions - much more granular and much better. Like the afore-mentioned apartment building; with Advanced sharing you have the front door key (key=permissions). There is also a separate key for each apartment. Each apartment could also have a garage or closet with another key. Advanced sharing allows your User account to hold many keys. Only the doors you have a key for can be accessed, not like with Simple Sharing - with no options to allow more than one key.

 sorry for being long-ended but hope that helps.
0
zalazarCommented:
Machienet, thanks for the detailed explanation.
I actually know of how advanced sharing is working and I'm familiar with it and using it in enterprise environments.
I never used the simple sharing method as, as you explained, you do not have good control.
In the second post gglollc does mention "Share permissions are Change and Read for Everyone".
From this line you can probably make up that it was looked up via the Advanced sharing method as the terms change and read are only used there and these terms are not used with simple sharing.
But in the end it seemed that the advanced share permissions where Everyone Full Control.
I have done some testing and from I what I have seen is that when using simple sharing Share permissions are set accordingly and NTFS permissions are explicitly (non inherited) set.
Also it seemed that Everyone did have Full Control on share and NTFS permissions but Everyone was actually not included in the posted DACL.
Do you maybe know an explanation for this behavior ?
0
Michael MachieFull-time technical multi-taskerCommented:
I'm assuming, based on that specific post, the Users within the NTFS permissions had Change and Read, since that is where those permissions reside. However, I am not sure gglollc had looked at the (Simple) Share permissions yet, where everyone most likely had Read/Write, at that time which is why they could fully access the Share.

As for why those Simple permissions did not appear in the (D)ACL, it could be simply that DACL reports on NTFS permissions, since it specifically applies to AD accounts and the relative SID.

Hopefully that helps.
0
gglollcAuthor Commented:
Yes I had looked at the simple permissions. Typically I do what Technet advises, give full control in Sharing, (what you are calling simple) and then tighten the restrictions with NTFS in the Security tab. The most restrictive wins. If you look up how to share folders on Technet, this is still the advice, but maybe this is old school now. I have been in IT for 20 years, so yep, old school!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.