I had asked the below question sometime ago and it was answered, I logged I'm recently to refer back to it only to have seen all the answers had been removed. Did I do something wrong?
"I seem to be falling into this weird loop of permission problems. We have a file server and everyone has their user share and their department share. All is working well. The permissions are set to Modify for the Department or the User's personal share. Not Full Control. Users have access to their folders but obviously cannot add others at root level because they do not have Full Control.
What I cant seem to understand is let's say user A creates a folder inside their personal share called XYZ (all users have their own shared folders), then goes to permissions, and simply adds user B by searching Active Directory.
If User B needed access that folder they would type \\SERVER\User A\ (which would be access denied as they don't have access to the root folder). However if User B typed \\SERVER\User A\XYZ they would be granted access because User A permitted access to that folder at NTFS permissions level
How do I stop a user from creating a folder in their share and simply modifying the NTFS permissions to add another user and letting them get access with the absolute path?
It doesn't make any sense.
Windows Server 2008 R2 and 2008 Functional Level domain. Initial share was created on the server by a Domain Admin User A is a local admin of their machine ONLY User B is a standard user
Answer
In your scenario above "User A" cannot add permission to a \\SERVER\User A\XYZ folder unless something in the Access Control List (ACL) is granting "Full Control" permissions to "User A". Changing permissions is part of "Full Control" and, so long as "User A" has "Modify" permission only they can't set permissions.
Being an "Administrator" of the client computer isn't going to give "User A" any special permissions on the SERVER machine. It does make me wonder, though, if "User A" has more rights on the "SERVER" machine than you think they do.
I'd investigate the "Effective Permissions" of "User A" on the folder you describe in your scenario. I strongly suspect you're going to find that they have "Full Control" permission.
No comments:
Post a Comment