Click here to get back home

NTFS permission problem
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
NTFS permission problem OM 11-30-2006
Posted by OM on November 30, 2006, 3:57 pm
Please log in for more thread options
 Hi,

I am not sure if this is a bug or I am overlooking something. I am
finding this inconsistence in the NTFS permission on my file server.

I have a share folder on my file server and all folders underneath it
inherits permission from this parent folder. I assigned a group (just
call is user_group for the time being) with modify NTFS permssion
(disabled read permission) on this folder and also disabled read
permissions, change permissions and take ownership for the creator owner
group on this folder. The users\domain entry was also removed from the
ACL. I logged in using one of the member account in the user_group and
created a folder in the share folder. When I looked the the NTFS
permission from that workstation (which I should not be able to do as I
took out the read permission from both the creator owner and user_group
entries), both the creator owner and user_group shows read permission,
change permission and take ownership being disabled. Although I was not
able to change permission and take owenership, I was able to read the
NTFS permission. I checked the effive permission setting of that user
account and shows that it has full permission.

Do someone experience similar problem before? My intention is to setup a
share folder so that users can not change/read permission and take
ownership even they are the folder owner.

Thanks

Posted by acchong on November 30, 2006, 4:44 pm
Please log in for more thread options
 Is the account that you use for testing a member of local administrator
or domain admin group. If a user is a member of local administrator and
domain admin group, he will still be able to read permission even if
you had set deny read permission for his account on the folder.


> Hi,
>
> I am not sure if this is a bug or I am overlooking something. I am
> finding this inconsistence in the NTFS permission on my file server.
>
> I have a share folder on my file server and all folders underneath it
> inherits permission from this parent folder. I assigned a group (just
> call is user_group for the time being) with modify NTFS permssion
> (disabled read permission) on this folder and also disabled read
> permissions, change permissions and take ownership for the creator owner
> group on this folder. The users\domain entry was also removed from the
> ACL. I logged in using one of the member account in the user_group and
> created a folder in the share folder. When I looked the the NTFS
> permission from that workstation (which I should not be able to do as I
> took out the read permission from both the creator owner and user_group
> entries), both the creator owner and user_group shows read permission,
> change permission and take ownership being disabled. Although I was not
> able to change permission and take owenership, I was able to read the
> NTFS permission. I checked the effive permission setting of that user
> account and shows that it has full permission.
>
> Do someone experience similar problem before? My intention is to setup a
> share folder so that users can not change/read permission and take
> ownership even they are the folder owner.
>
> Thanks


Posted by OM on December 1, 2006, 11:27 am
Please log in for more thread options
acchong wrote:
> Is the account that you use for testing a member of local administrator
> or domain admin group. If a user is a member of local administrator and
> domain admin group, he will still be able to read permission even if
> you had set deny read permission for his account on the folder.
>

the test account is just a regular user. He is neither a member of the
local administrator nor domain administrator group.

Posted by Roger Abell [MVP] on November 30, 2006, 6:28 pm
Please log in for more thread options
I could not follow your description to determine the precise ACL as
set on the parent, hence I cannot comment on the result.

There is no way to prevent an owner from altering permissions
except by making them no longer owner.

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
> Hi,
>
> I am not sure if this is a bug or I am overlooking something. I am finding
> this inconsistence in the NTFS permission on my file server.
>
> I have a share folder on my file server and all folders underneath it
> inherits permission from this parent folder. I assigned a group (just call
> is user_group for the time being) with modify NTFS permssion (disabled
> read permission) on this folder and also disabled read permissions, change
> permissions and take ownership for the creator owner group on this folder.
> The users\domain entry was also removed from the ACL. I logged in using
> one of the member account in the user_group and created a folder in the
> share folder. When I looked the the NTFS permission from that workstation
> (which I should not be able to do as I took out the read permission from
> both the creator owner and user_group entries), both the creator owner and
> user_group shows read permission, change permission and take ownership
> being disabled. Although I was not able to change permission and take
> owenership, I was able to read the NTFS permission. I checked the effive
> permission setting of that user account and shows that it has full
> permission.
>
> Do someone experience similar problem before? My intention is to setup a
> share folder so that users can not change/read permission and take
> ownership even they are the folder owner.
>
> Thanks



Posted by OM on December 1, 2006, 11:32 am
Please log in for more thread options
Roger Abell [MVP] wrote:
> I could not follow your description to determine the precise ACL as
> set on the parent, hence I cannot comment on the result.
>
> There is no way to prevent an owner from altering permissions
> except by making them no longer owner.
>

Actually, the owner is not able to change permission if I remove that
rights from the creator owner on the parent folder and apply the
"replace permission entries on all child objects with entries shown here
that apply to child objects". But the user still can read permission
even I disabled that on the creator owner group as well as the group
where he is in. When I looked at the effective permission of the user
for the folder (created by this user), he does has read and change
permissions.

Similar ThreadsPosted
NTFS permission problem March 31, 2006, 11:36 am
NTFS Permission April 21, 2006, 10:04 am
Share Permission vs NTFS July 18, 2006, 2:02 pm
ntfs special permission question September 1, 2006, 1:50 pm
Share folder and NTFS permission April 10, 2008, 6:47 pm
NTFS Rname VS. Delete Permission April 23, 2008, 1:36 am
Spontaneous permission changes-How?Why? September 23, 2005, 2:06 pm
Permission Issue September 28, 2005, 10:55 am
Adobe permission January 4, 2006, 2:03 pm
File Permission June 14, 2008, 5:36 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap