Monday, September 10, 2018

windows server 2003 - Child Folder inheriting a permission that parent folder does not have (NTFS)



I'm reconfiguring roaming profiles on my network to use proper NTFS security settings according to this article. I have reset the following permissions on the roaming profile parent folder:





  • CREATOR OWNER, Full Control, Subfolder and files only

  • User group with profiles, List folder, Create folders, This folder only

  • System, Full Control, This folder, subfolders, and files



Then I select one of the actual roaming profile folders and follow these steps to fix the NTFS settings:




  • Click Security, Advanced


  • Uncheck "Allow inheritable permissions..."

  • Choose "Remove..."

  • Recheck "Allow inheritable permissions..."

  • Click "Apply"



After I choose apply, I get the following permissions listed on the roaming profile folder:




  • Administrators (MYDOMAIN\Administrators) Full Control, This folder only


  • CREATOR OWNER, Full Control, Subfolders and files only

  • System, Full Control, This folder, subfolders, and files



Where is the Administrators entry coming from!? There is an entry on the root of the drive for Administrators to have full control, but the Roaming Profile Parent folder is not set to inherit any permissions, and it does not have the administrators permission.


Answer



It appears the problem was coming from my misunderstanding of the "CREATOR OWNER" permission. This "account" does not map to an SID, rather it is a permission that tells the OS "when a new item is created in this folder, grant these permissions to the creator/owner". Because I was creating the account with an administrators user, it caused the permissions to follow.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...