kt3z
asked on
users can create folder or files but permissions is set to "list folder"
root
level 1 folder
Users (not admin) of Groups X should not be able to create a folder or a file at level 1 but they can. They even can create folders or files from the root. I checked all permissions. Only the administrators have rights.
But they can't delete the folders or files they don't create.
The file server is WIndows 2016. The share drive gives full permission to all users (testing purpose not final) but NTFS should take over.
Thanks
- group X can list folder - this folder only)
level 1 folder
- group X can list folder - this folder only
- group X can modify - subfolders and files only
Users (not admin) of Groups X should not be able to create a folder or a file at level 1 but they can. They even can create folders or files from the root. I checked all permissions. Only the administrators have rights.
But they can't delete the folders or files they don't create.
The file server is WIndows 2016. The share drive gives full permission to all users (testing purpose not final) but NTFS should take over.
Thanks
I cannot reproduce this behavior in my 2016 lab, so this isn't a widespread bug. It may be a niche case caused by something not listed in your description. Or it may be a permission setting you overlooked. I'd start with the Effective permissions' tab to troubleshoot. It is an often overlooked tool.
ASKER
Thanks effective permissions shows the user (member of the group) can create folders and files, but cannot delete. If I remove full permission from the share the user can't create folders and files, but he can't create it no matter the NTFS permission even FULL permissions (NTFS)
I'm sure I'm missing something... but what ?
I'm sure I'm missing something... but what ?
What you describe regarding share permissions is perfectly expected. Leaving share permissions open is fine. Many sysadmins do, and only use NTFS to add restrictions.
Use the effective permissions to view NTFS permissions don't worry about share permissions. That create permission is coming from somewhere and the effective permissions can tell you. Inherited, direct, etc.
Use the effective permissions to view NTFS permissions don't worry about share permissions. That create permission is coming from somewhere and the effective permissions can tell you. Inherited, direct, etc.
ASKER
Thanks I was beginning to think I was wrong all those years :) And maybe I was, I didn't bother that much when users were creating every now and then a folder where they shouldn't have. But I still felt that there was one aspect missing, as to why why on earth the users can create / append folders and files. I allow LIST FOLDER CONTENT, which should allow the user to list the folders or read a file. But I don't apply DENY to create at that level. I guess the share full permission takes over here. So NTFS applies a permission specifying a user can list folders and read a file. But I don't keep those users to create a folder or a file. The share full permission allow the users to do that.
Is that correct?
Is that correct?
No. Share permissions never supercede NTFS permissions. So an effective NTFS permission is coming from somewhere. And it isn't just because of a share permission. Share permissions really only exist because of legacy FAT filesystems that didn't have advanced ACLs when SMB as a protocol was first spec'd. But they operate independently. They cannot suddenly frant a permission on the file system that the file system doesnt itself allow.
ASKER
Ok but it is not really supercede NFTS permissions, it's just fill a gap, isn't? LIST FOLDERS does now allow folders and files creations, but it does not deny it. Well, I agree with you about the share. But I don't understand why users can create folder and files unless I use deny.
ntfs.png
ntfs.png
No, it doesn't fill in a gap. That create folders permission is actively coming from somewhere on an NTFS level. Shares have NOTHING to do with it.
ASKER
I attached a picture on my previous reply. Can server ur local user group cause this? But the domain users are not member of the local groups
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You really hit the nail on the head Cliff ! Thanks a lot. The domain users were member of the local users group.
Thanks again :)
Thanks again :)
ASKER
Great find