I'm currently in the process of migrating some shares. Using my AD account, I was able to navigate to a share and its subfolders. Looking at the NTFS permissions, I don't belong to any groups that grant "Full" rights. The only two groups that have "Full" rights are the local administrators (I am not a member) and the System.
Any way to determine exactly how I am able to get "Full" rights without being an explicit member of a group listed in the ACL?
Answer
"Full Control" allows you to do anything imaginable to the folder or its files, like delete them or fiddle with the ACLs. You don't need Full Control to navigate a folder or even to write to it. "List folder / read data" allows you to look around in the folder or read the contents of a file. (Which one it is depends on whether the object in question is a folder or a file.) "Create files / write data" and "Create folders / append data" allow you to do exactly what they say, but you can have that access without having Full Control.
Note that applications running with administrative privileges can use SeBackupPrivilege and SeRestorePrivilege to read or write anywhere (respectively), no matter what ACLs say. Read more about privileges at TechNet.
No comments:
Post a Comment