query about share and directory permissions which contain delete

I am doing a review of permissions on a file server. There is a file share crated for a specific department for arguments sake we can say this is \\fileserver\department  - when analysing permissions, at share ACL the admin has granted the NT AUTHORITY\Authenticated Users 'Full' permissions, and on the directory ACL they have given NT AUTHORITY\Authenticated Users Read, Write, Execute and the concerning one being "Delete". These are taken from an MBSA scan of the server.

Within \\fileserver\department\ there are numerous sub-directories, e.g. \\fileserver\department\team1 \\fileserver\department\team2 - a quick scan of permissions set at this child levels show they don't inherit the permissions set at \\fileserver\department - which is good from a data security perspective, as they are configured in such a way that they restrict access to only specific groups.

Where my concern is, that I am trying to determine if I am correct or not to be alarmed, is if NT AUTHORITY\Authenticated Users has delete permissions at the root level, e.g.  \\fileserver\department  level – could they just delete the sub-directories, e.g \\fileserver\department\team1 \\fileserver\department\team2 - or not? Does the fact the permissions on folders such as \\fileserver\department\team1 are more restrictive make my concerns that the NT AUTHORITY\Authenticated Users group has delete permissions at the root level less of an issue.
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NVITEnd-user supportCommented:
Try renaming one of the Team folders. If it works, they can delete it
DrDave242Senior Support EngineerCommented:
if NT AUTHORITY\Authenticated Users has delete permissions at the root level, e.g.  \\fileserver\department  level – could they just delete the sub-directories, e.g \\fileserver\department\team1 \\fileserver\department\team2 - or not?

Permissions can be configured to apply in a number of different ways:

Settings for applying permissions
So, applying permissions to a folder doesn't necessarily grant that permission to subfolders (although "This folder, subfolders, and files" is the default setting). If you look at the permissions of one of those subfolders, does Authenticated Users have Delete permission?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
In a sample subfolder that group didnt seem to have delete which is why it seemed odd to grant it at the root folder.
DrDave242Senior Support EngineerCommented:
It seems a little odd, but someone may have configured it that way for a reason. Or maybe those permissions were initially assigned on all of the subfolders as well until someone decided that wasn't a good idea and disabled inheritance on them. Can't really say at this point.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.