Another Permissions question

Just when I thought that I knew NTFS/Share permissions as well as I could, I ran into the following confusion.

I created a folder, called it Tester. I shared it with Everyone having Read access. I assigned Dan Full Control. So the EFFECTIVE share permission for Dan is Full Control (cumulative permissions). Configuring NTFS permissions, I gave Dan List Folder Contents permissions only. Admins have Full Control. Creator Owner has no permissions. Contoso/Users has Read and Execute, Read and List Folder contents permissions.

Next, I logged on to my member server as Dan. I make sure I navigate to the Tester folder using the UNC path. Within Tester, if Dan makes changes to the files/folders already in there, he's denied access. BUT, he's able to create folders/files and make any changes to those files/folders and delete them. WHY ???

Werent the NTFS permissions for Dan, List Folder Contents only. Most restrictive out of NTFS and Share should have applied. In addition, when I used the Effective Permissions tab for Dan, it comes up with Read, Read and Execute, List Folder Contents, Traverse Folders, Create Files/Append Data, Create Files. WHY ???

I checked for group memberships too, although Dan's a member of a few groups that are nested inside other groups, but none of the groups have any permissions to Tester. I am totally

Find more posts tagged with

Comments

royal

Is Dan an Administrator? Since Share is Full Control, if that user is a part of anything full control in NTFS, he'll have full control. That is of course not mixing in denys.

Essendon

Dan is not an administrator. I was logged in as the domain admin when I created the folder and the share. I also did a gpupdate, not that it would have mattered much. The user is not part of anything that has full control for that folder or of anything else for that matter.

I was thinking that perhaps since Contoso/Users has Read and Execute, Read and List Folder contents permissions, this is what is skewing the permissions. I also know that the Effective Permissions tab is not really effective since it doesnt take into the Share permsissions, only the NTFS permissions.

Perhaps, there is some kind of policy I inadvertently configured in one of my previous exercises....

Essendon

Anyone? This is still unresolved ( hope my last post didnt make people think this was resolved !)

Mishra

I like seeing these permission labs you are doing.

I would double check the Contoso/Users permissions because Dan is probably a member of this group which would give him that group's rights.

EDIT: Actually I would just remove this group's permissions instead and see if it has any effect on Dan's permissions.

Are you looking in the advance tab when looking at these permissions?

Sie

He would be given the permissions of the users and everyone group aswell.

However I cannot see what the permissions you have assigned to these would allow him to carry out the tasks you stated.

What does the effective permissions show however? As we know the Share permissions.

Are there any other groups in either the share or NTFS permissions?

royal

Run the following command:
DSQUERY USER -samid loginname | DSGET USER -memberof -expand

I want to make sure he's not a part of a group that's nested in another group that's getting the permission.

Essendon

I wrote about effective permissions when I started this thread. Effective permissions tab shows Read and Execute, List Folder Contents, Traverse Folders, Create Files/Append Data, Create Files. So this is telling me that what I am seeing IS correct but what I cannot figure out is why this is happening.

EDIT: Inheritance is not in use on this folder in question.

Sie, the Everyone group is not present in the NTFS tab. So it's just got Dan, Admins, Creator and Contoso/Users in it.

Gents, the other thing I could think of is that in one of the exercises, I made domain users members of the Print Operators group, just so that everyone could logon on to the DC. But this should not be of much consequence as users other Dan have their permissions behaving exactly the way I would expect them to.

Elan, I will try that dquery | dsget piping as soon as I get home from work.

P.S. Maybe this account is just cursed, maybe I create an account for a female user and see how I go with her!!

Essendon

I tried the dsquery | dsget command and it came up with a few groups. Then I removed Dan's memberships to all groups. So just barebones permissions to the tester folder. And it was behaving the way you would expect it to. So prolly the group memberships that was affecting it. Thank you for your help gents! Much appreciated.

Mishra

MobilTech wrote:

I tried the dsquery | dsget command and it came up with a few groups. Then I removed Dan's memberships to all groups. So just barebones permissions to the tester folder. And it was behaving the way you would expect it to. So prolly the group memberships that was affecting it. Thank you for your help gents! Much appreciated.

If you removed the group one by one then you could have seen which group specifically was creating the problem. Just a FYI.

Essendon

I thought if the same thing, Mishra. But I was doing this at about 1 am after a hard day's work and even harder 4 hours of studying. I thought bugger this, let's get rid of this altogether. But fair dinkum, you are right.