Click here to get back home

Accessing folders owned by another user?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Accessing folders owned by another user? Linn Kubler 12-06-2007
Posted by Linn Kubler on December 6, 2007, 1:46 pm
Please log in for more thread options
 Hi,

I have a user who was going into the security tap of folders in a public
folder and turning off the inherit from parent checkbox and then selecting
remove to block people from seeing her files. Kind of dumb since she could
simply put the files in her home folder, but I digress.

To stop this I took away everyone's full control rights which I assumed
would work. It seems to have worked at some level, however, I found today
that she created a subfolder and did the same thing. Looking into it now I
see that everyone still has the rights to turn off inheritance on objects
they own.

I have three questions, is my observation correct, should a user without
full control of a folder they own be able to turn off inheritance?

If so, is it possible to stop this and how?

Lastly, is there any way I can gain access to this folder without having her
password or changing the ownership of the directory? Is it possible to give
the administrator's account equivelent file rights of a user or group? I
don't want to tip her hand yet that I'm on to her.

Thanks in advance,
Linn



Posted by Anthony on December 6, 2007, 4:36 pm
Please log in for more thread options
 Linn,
- Does the folder have Creator-Owner permissions?
- You can make the Share permissions Change instead of Full to remove the
ability to change permissions over the network,
Anthony, http://www.airdesk.com

> Hi,
>
> I have a user who was going into the security tap of folders in a public
> folder and turning off the inherit from parent checkbox and then selecting
> remove to block people from seeing her files. Kind of dumb since she
> could simply put the files in her home folder, but I digress.
>
> To stop this I took away everyone's full control rights which I assumed
> would work. It seems to have worked at some level, however, I found today
> that she created a subfolder and did the same thing. Looking into it now
> I see that everyone still has the rights to turn off inheritance on
> objects they own.
>
> I have three questions, is my observation correct, should a user without
> full control of a folder they own be able to turn off inheritance?
>
> If so, is it possible to stop this and how?
>
> Lastly, is there any way I can gain access to this folder without having
> her password or changing the ownership of the directory? Is it possible
> to give the administrator's account equivelent file rights of a user or
> group? I don't want to tip her hand yet that I'm on to her.
>
> Thanks in advance,
> Linn
>
>



Posted by Linn Kubler on December 12, 2007, 10:09 am
Please log in for more thread options
Hi Anthony,

This seems like a dumb question but where do I set the Creator-Owner
permissions?

Ah, yes, I think that might do it in the future. I changed the share
permissions to only Change and Read and removed Full Control from the
Everyone group. Now when I create a folder on that share as a standard user
I cannot change the security rights, the Allow Inheritable permissions check
box is greyed out. I think that should be perfect.

As the only administrator and defacto security officer I want all file
access are rights changes to go through me.

Thanks,
Linn

> Linn,
> - Does the folder have Creator-Owner permissions?
> - You can make the Share permissions Change instead of Full to remove the
> ability to change permissions over the network,
> Anthony, http://www.airdesk.com
>
>> Hi,
>>
>> I have a user who was going into the security tap of folders in a public
>> folder and turning off the inherit from parent checkbox and then
>> selecting remove to block people from seeing her files. Kind of dumb
>> since she could simply put the files in her home folder, but I digress.
>>
>> To stop this I took away everyone's full control rights which I assumed
>> would work. It seems to have worked at some level, however, I found
>> today that she created a subfolder and did the same thing. Looking into
>> it now I see that everyone still has the rights to turn off inheritance
>> on objects they own.
>>
>> I have three questions, is my observation correct, should a user without
>> full control of a folder they own be able to turn off inheritance?
>>
>> If so, is it possible to stop this and how?
>>
>> Lastly, is there any way I can gain access to this folder without having
>> her password or changing the ownership of the directory? Is it possible
>> to give the administrator's account equivelent file rights of a user or
>> group? I don't want to tip her hand yet that I'm on to her.
>>
>> Thanks in advance,
>> Linn
>>
>>
>
>



Posted by Al Dunbar on December 6, 2007, 8:02 pm
Please log in for more thread options

> Hi,
>
> I have a user who was going into the security tap of folders in a public
> folder and turning off the inherit from parent checkbox and then selecting
> remove to block people from seeing her files.

Regardless of the actual NTFS ownership, they are not *her* files if they
are located where your standards say people are to store shared files.

> Kind of dumb since she could simply put the files in her home folder,
> but I digress.
>
> To stop this I took away everyone's full control rights which I assumed
> would work. It seems to have worked at some level, however, I found today
> that she created a subfolder and did the same thing. Looking into it now
> I see that everyone still has the rights to turn off inheritance on
> objects they own.
>
> I have three questions, is my observation correct, should a user without
> full control of a folder they own be able to turn off inheritance?

Ultimately, an owner can do whatever it wants. This is what you would do as
administrator to recover access to a folder that someone screwed up by
mistake: take ownership (you can because you are an administrator), change
permissions (because you are owner).

> If so, is it possible to stop this and how?
>
> Lastly, is there any way I can gain access to this folder without having
> her password or changing the ownership of the directory? Is it possible
> to give the administrator's account equivelent file rights of a user or
> group? I don't want to tip her hand yet that I'm on to her.

You are not "on to her", as her actions do not imply that she is blocking
access to some files to hide some illegal activity. Depending on the
published policies of your organization, your bypassing security (!) to
access a user's files without her knowledge could be actionable without
probably cause, so I would be careful if I were you.

/Al

> Thanks in advance,
> Linn
>
>



Posted by bogus on December 6, 2007, 9:09 pm
Please log in for more thread options

>> Hi,
>>
>> I have a user who was going into the security tap of folders in a
>> public folder and turning off the inherit from parent checkbox and
>> then selecting remove to block people from seeing her files.
>
> Regardless of the actual NTFS ownership, they are not *her* files if
> they are located where your standards say people are to store shared
> files.
>
>> Kind of dumb since she could simply put the files in her home
>> folder,
>> but I digress.
>>
>> To stop this I took away everyone's full control rights which I
>> assumed would work. It seems to have worked at some level, however,
>> I found today that she created a subfolder and did the same thing.
>> Looking into it now I see that everyone still has the rights to turn
>> off inheritance on objects they own.
>>
>> I have three questions, is my observation correct, should a user
>> without full control of a folder they own be able to turn off
>> inheritance?
>
> Ultimately, an owner can do whatever it wants. This is what you would
> do as administrator to recover access to a folder that someone screwed
> up by mistake: take ownership (you can because you are an
> administrator), change permissions (because you are owner).
>
>> If so, is it possible to stop this and how?
>>
>> Lastly, is there any way I can gain access to this folder without
>> having her password or changing the ownership of the directory? Is
>> it possible to give the administrator's account equivelent file
>> rights of a user or group? I don't want to tip her hand yet that I'm
>> on to her.
>
> You are not "on to her", as her actions do not imply that she is
> blocking access to some files to hide some illegal activity. Depending
> on the published policies of your organization, your bypassing
> security (!) to access a user's files without her knowledge could be
> actionable without probably cause, so I would be careful if I were
> you.
>
> /Al
>
>> Thanks in advance,
>> Linn
>>
>>
>

There are also third-party utilities that allow you to "give" ownership
back to the user after you are done doing your thing (supposedly you
aren't supposed to be able to do this, but...)

Similar ThreadsPosted
user restrictions accessing server based folders using the SBS 200 March 16, 2006, 6:46 am
Accessing remote user January 10, 2006, 6:21 pm
User folders permissions. June 7, 2007, 3:40 pm
Finding folders where user was specifically given access September 11, 2006, 1:45 pm
How to let user group member to share files and folders August 26, 2006, 12:16 am
Hiding folders that a user does not have rights to access - WebDAV January 2, 2008, 2:37 pm
How to not allow user move folders accidentially in MS server 2003? January 31, 2008, 4:33 am
Accessing shares locks my account March 9, 2006, 10:14 am
Accessing resources between non-trusted domains September 12, 2006, 9:53 am
Accessing Shares across the Network from an ASP page September 17, 2007, 10:59 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap