We help IT Professionals succeed at work.

query about share and directory permissions which contain delete

132 Views
Last Modified: 2018-12-05
I am doing a review of permissions on a file server. There is a file share crated for a specific department for arguments sake we can say this is \\fileserver\department  - when analysing permissions, at share ACL the admin has granted the NT AUTHORITY\Authenticated Users 'Full' permissions, and on the directory ACL they have given NT AUTHORITY\Authenticated Users Read, Write, Execute and the concerning one being "Delete". These are taken from an MBSA scan of the server.

Within \\fileserver\department\ there are numerous sub-directories, e.g. \\fileserver\department\team1 \\fileserver\department\team2 - a quick scan of permissions set at this child levels show they don't inherit the permissions set at \\fileserver\department - which is good from a data security perspective, as they are configured in such a way that they restrict access to only specific groups.

Where my concern is, that I am trying to determine if I am correct or not to be alarmed, is if NT AUTHORITY\Authenticated Users has delete permissions at the root level, e.g.  \\fileserver\department  level – could they just delete the sub-directories, e.g \\fileserver\department\team1 \\fileserver\department\team2 - or not? Does the fact the permissions on folders such as \\fileserver\department\team1 are more restrictive make my concerns that the NT AUTHORITY\Authenticated Users group has delete permissions at the root level less of an issue.
Comment
Watch Question

NVITEnd-user support
CERTIFIED EXPERT

Commented:
Try renaming one of the Team folders. If it works, they can delete it
Principal Support Engineer
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
In a sample subfolder that group didnt seem to have delete which is why it seemed odd to grant it at the root folder.
DrDave242Principal Support Engineer
CERTIFIED EXPERT

Commented:
It seems a little odd, but someone may have configured it that way for a reason. Or maybe those permissions were initially assigned on all of the subfolders as well until someone decided that wasn't a good idea and disabled inheritance on them. Can't really say at this point.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions