asked on

users can create folder or files but permissions is set to "list folder"

root

group X can list folder - this folder only)

level 1 folder

group X can list folder - this folder only

group X can modify - subfolders and files only

Users (not admin) of Groups X should not be able to create a folder or a file at level 1 but they can. They even can create folders or files from the root. I checked all permissions. Only the administrators have rights.

But they can't delete the folders or files they don't create.

The file server is WIndows 2016. The share drive gives full permission to all users (testing purpose not final) but NTFS should take over.

Thanks

Cliff Galiher

I cannot reproduce this behavior in my 2016 lab, so this isn't a widespread bug. It may be a niche case caused by something not listed in your description. Or it may be a permission setting you overlooked. I'd start with the Effective permissions' tab to troubleshoot. It is an often overlooked tool.

kt3z

ASKER

Thanks effective permissions shows the user (member of the group) can create folders and files, but cannot delete. If I remove full permission from the share the user can't create folders and files, but he can't create it no matter the NTFS permission even FULL permissions (NTFS)

I'm sure I'm missing something... but what ?

Cliff Galiher

What you describe regarding share permissions is perfectly expected. Leaving share permissions open is fine. Many sysadmins do, and only use NTFS to add restrictions.

Use the effective permissions to view NTFS permissions don't worry about share permissions. That create permission is coming from somewhere and the effective permissions can tell you. Inherited, direct, etc.

kt3z

ASKER

Thanks I was beginning to think I was wrong all those years :) And maybe I was, I didn't bother that much when users were creating every now and then a folder where they shouldn't have. But I still felt that there was one aspect missing, as to why why on earth the users can create / append folders and files. I allow LIST FOLDER CONTENT, which should allow the user to list the folders or read a file. But I don't apply DENY to create at that level. I guess the share full permission takes over here. So NTFS applies a permission specifying a user can list folders and read a file. But I don't keep those users to create a folder or a file. The share full permission allow the users to do that.

Is that correct?

Cliff Galiher

No. Share permissions never supercede NTFS permissions. So an effective NTFS permission is coming from somewhere. And it isn't just because of a share permission. Share permissions really only exist because of legacy FAT filesystems that didn't have advanced ACLs when SMB as a protocol was first spec'd. But they operate independently. They cannot suddenly frant a permission on the file system that the file system doesnt itself allow.

kt3z

ASKER

Ok but it is not really supercede NFTS permissions, it's just fill a gap, isn't? LIST FOLDERS does now allow folders and files creations, but it does not deny it. Well, I agree with you about the share. But I don't understand why users can create folder and files unless I use deny.
ntfs.png

Cliff Galiher

No, it doesn't fill in a gap. That create folders permission is actively coming from somewhere on an NTFS level. Shares have NOTHING to do with it.

kt3z

ASKER

I attached a picture on my previous reply. Can server ur local user group cause this? But the domain users are not member of the local groups

ASKER CERTIFIED SOLUTION

Cliff Galiher

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

kt3z

ASKER

You really hit the nail on the head Cliff ! Thanks a lot. The domain users were member of the local users group.

Thanks again :)

kt3z

ASKER

Great find

users can create folder or files but permissions is set to &quot;list folder&quot;

users can create folder or files but permissions is set to "list folder"