Unable to protect shared folder

Home Forums Server Operating Systems Windows Server 2016 Unable to protect shared folder

This topic contains 4 replies, has 3 voices, and was last updated by JeremyW JeremyW 5 months, 3 weeks ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
  • Avatar

    I have a folder called ‘scanned’ that is shared. Share permissions full access for everyone. Folder security is full access for everyone.


    I created user folders under scanned. Each sub folder has inherited permissions disabled. Permissions for sub folders is system, administrator and folder owners account. All have full access. Any other groups have been deleted like authenticated users or domain users.


    The problem is one user can look at the contents of another users folder. I tried to explicitly deny one user in another users folder but they can still browse the folder.


    I discovered a previous IT company has made all users members of the Domain Admin group. I removed all the users from this group.


    I created a new shared folder called ‘test’ and created two sub folder for two users. I protected the sub folders as above and even went so far as to deny one user from accessing the other users folder but they can still browse the denied folder.


    I am at a loss. Did access control get broken by everyone being domain admin? This is a Server 2016 Standard box. Thanks in advance


    I would audit your permissions using Sysinternals’ AccessEnum and ShareEnum. At the very least it will give you an idea of how everything is configured from the root down. You can export the Users node data from AD, or depending on the size of your directory, manually check all group membership against the results of AccessEnum and ShareEnum to identify any possible misconfiguration.





    I agree with Blood. Run those checks. Also check the local administrator group membership on the file server.

    And…. remove full control from the root. Users only need read access. With full control they can take ownership and change permissions on the subfolders.


    Thank you for the feedback.  The domain users were not in the local admin group.  I will run the SysInternals utilities this weekend and see what’s configured.


    Did you remove Full Control permissions from the root folder? Everyone needs read on the root, then set permissions as you desire on the subfolders as you indicated.

    • Share permissions: Everyone Full Control
    • NTFS permission on shared folder: Everyone Read, admins full control
    • NTFS permissions on subfolders: grant as you specified.
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Register for this Petri Webinar!

Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

Tuesday, August 27, 2019 @ 1:00 pm EDT

A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

Register Now

Sponsored By