Unable to protect shared folder

Home Forums Server Operating Systems Windows Server 2016 Unable to protect shared folder

This topic contains 4 replies, has 3 voices, and was last updated by JeremyW JeremyW 9 months, 2 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    r042wal
    Participant
    #614615

    I have a folder called ‘scanned’ that is shared. Share permissions full access for everyone. Folder security is full access for everyone.

     

    I created user folders under scanned. Each sub folder has inherited permissions disabled. Permissions for sub folders is system, administrator and folder owners account. All have full access. Any other groups have been deleted like authenticated users or domain users.

     

    The problem is one user can look at the contents of another users folder. I tried to explicitly deny one user in another users folder but they can still browse the folder.

     

    I discovered a previous IT company has made all users members of the Domain Admin group. I removed all the users from this group.

     

    I created a new shared folder called ‘test’ and created two sub folder for two users. I protected the sub folders as above and even went so far as to deny one user from accessing the other users folder but they can still browse the denied folder.

     

    I am at a loss. Did access control get broken by everyone being domain admin? This is a Server 2016 Standard box. Thanks in advance

    Blood
    Blood
    Moderator
    #614631

    I would audit your permissions using Sysinternals’ AccessEnum and ShareEnum. At the very least it will give you an idea of how everything is configured from the root down. You can export the Users node data from AD, or depending on the size of your directory, manually check all group membership against the results of AccessEnum and ShareEnum to identify any possible misconfiguration.

    https://docs.microsoft.com/en-us/sysinternals/downloads/accessenum

    https://docs.microsoft.com/en-us/sysinternals/downloads/shareenum

     

    JeremyW
    JeremyW
    Moderator
    #614633

    I agree with Blood. Run those checks. Also check the local administrator group membership on the file server.

    And…. remove full control from the root. Users only need read access. With full control they can take ownership and change permissions on the subfolders.

    Avatar
    r042wal
    Participant
    #614697

    Thank you for the feedback.  The domain users were not in the local admin group.  I will run the SysInternals utilities this weekend and see what’s configured.

    JeremyW
    JeremyW
    Moderator
    #614775

    Did you remove Full Control permissions from the root folder? Everyone needs read on the root, then set permissions as you desire on the subfolders as you indicated.

    • Share permissions: Everyone Full Control
    • NTFS permission on shared folder: Everyone Read, admins full control
    • NTFS permissions on subfolders: grant as you specified.
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.