r042walParticipantFebruary 27, 2019 at 6:59 am #614615
I have a folder called ‘scanned’ that is shared. Share permissions full access for everyone. Folder security is full access for everyone.
I created user folders under scanned. Each sub folder has inherited permissions disabled. Permissions for sub folders is system, administrator and folder owners account. All have full access. Any other groups have been deleted like authenticated users or domain users.
The problem is one user can look at the contents of another users folder. I tried to explicitly deny one user in another users folder but they can still browse the folder.
I discovered a previous IT company has made all users members of the Domain Admin group. I removed all the users from this group.
I created a new shared folder called ‘test’ and created two sub folder for two users. I protected the sub folders as above and even went so far as to deny one user from accessing the other users folder but they can still browse the denied folder.
I am at a loss. Did access control get broken by everyone being domain admin? This is a Server 2016 Standard box. Thanks in advance
BloodModeratorFebruary 27, 2019 at 10:55 am #614631
I would audit your permissions using Sysinternals’ AccessEnum and ShareEnum. At the very least it will give you an idea of how everything is configured from the root down. You can export the Users node data from AD, or depending on the size of your directory, manually check all group membership against the results of AccessEnum and ShareEnum to identify any possible misconfiguration.
JeremyWModeratorFebruary 27, 2019 at 11:24 am #614633
I agree with Blood. Run those checks. Also check the local administrator group membership on the file server.
And…. remove full control from the root. Users only need read access. With full control they can take ownership and change permissions on the subfolders.
r042walParticipantFebruary 28, 2019 at 8:03 am #614697
Thank you for the feedback. The domain users were not in the local admin group. I will run the SysInternals utilities this weekend and see what’s configured.
JeremyWModeratorMarch 1, 2019 at 2:35 pm #614775
Did you remove Full Control permissions from the root folder? Everyone needs read on the root, then set permissions as you desire on the subfolders as you indicated.
- Share permissions: Everyone Full Control
- NTFS permission on shared folder: Everyone Read, admins full control
- NTFS permissions on subfolders: grant as you specified.
You must be logged in to reply to this topic.