Fire Shares inheriting perms from unknown location
- I have redirected My Docs setup and was alarmed to find that some how Domain Users was inheriting Full Access rights to each users folder. The advanced button lists the Domain Users rights coming from the D:\Users share, but on the perms of D:\users there is no sign of Domain Users and under the effective perms tool Domain Users is not listed at all with perms to D:\Users. I can go remove them one at a time, but new users folders get the Domain Users Full Access tacked on inheriting from somewhere. Ideas where I can find where it's coming from?
Odpovědi
Hello gorejd,
Based on my research, if there is no Domain User’s ACL entries on that parent folder D:\Users (which contains the redirected shared folder that is created by users when they logon the domain), and assumed that we have configured folder redirection group policy as the following condition, the "Domain Users" group should not have full access right to each user's redirected folder under the parent folder D:\Users.
Setting: Basic – Redirect everyone's folder to the same location
Target folder location: Create a folder for each user under the root path
Root Path: \\servername\Users
Grant the user exclusive rights to "My Documents".
We need to investigate the issue more in detailed, to help you troubleshoot the issue, please scan and list the NTFS security permission of D:\ and D:\Users by using AccessEnum utility, and then output it as NTFS.txt file.
AccessEnum v1.32
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
Meanwhile, please take screenshots of the Security setting of D:\, D:\Users and one user’s redirect folder under it.
You may also consider bnborg’s suggestion to check if that group policy setting has been enabled. You can run "gpresult /v > D:\gp.txt" to output the gpresult on that server.
Please send us the NTFS.txt file, screenshots and gp.txt to tfwst@microsoft.com
Any time and effort will be appreciated.
Thanks for your co-operation.
This posting is provided "AS IS" with no warranties, and confers no rights.- Označen jako odpověďDavid Shen - MSFTMSFT, Moderátor8. července 2009 6:17
Všechny reakce
- Hello,
Issue mostly likely caming from D:\ drive since it is the root drive. Look at the sucurity configurations on the D drive, select Advanced uncheck propagating to folders and subfolders.
Isaac Oben MCITP:EA, MCSE - There are no perms on D:\ set to propagate and Domain Users is not on there and has no effective perms on D:\. Can't find where in the heck it's coming from.
Hello gorejd,
To trace down where the permissions comes from, We can use ShareEnum and AccessEunm utility on that server which holds the D:\User shared folder.
By using these 2 utilities, we can view all the Share and NTFS security settings on the file share.
ShareEnum:
"Since there are no built-in tools to list shares viewable on a network and their security settings, but ShareEnum fills the void and allows you to lock down file shares in your network. When you run ShareEnum it uses NetBIOS enumeration to scan all the computers within the domains accessible to it, showing file and print shares and their security settings. You may simply view share permission settings with security descriptors in the ShareEnum console. ShareEnum is most effective when you run it with a domain administrator account."
AccessEnum:
"Since there's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary. You may simply view the NTFS security settings with security descriptors in the AccessEnum console."
Here are some detailed steps, which may helpful for you.
1. Download ShareEnum and AccessEnum from the following links.
ShareEnum v1.6
http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
ShareEnum utility can clearly list all the Share permissions with all the groups (including global groups and local groups) on the server.
AccessEnum v1.32
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
AccessEnum utility can clearly list all the NTFS permissions with all the groups (including global groups and local groups) on the server.
2. Copy ShareEnum and AccessEnum utility to the problematic server.
3. Usage of ShareEnum.exe
List all the share permissions with all the groups (including global groups and local groups) on the server.
a. Double-click ShareEnum.exe.
b. On the drop list of "ShareEnum displays security information on all shares accessible with the selected domain", select the domain that you want to list share permission.
c. Click "Refresh" button to list all the Share path and Share permission in the console.
d. Click "Export…" to save the report as a "share.txt" file.
e. Open the "share.txt" with Notepad.exe
f. In Notepad, click Edit, and click Find, you may input the group name "Domain users", and then click "Find next" to find the group.
g. In the way, you will see the Share permission settings on both the local group and the global group.
4. Usage of AccessEnum.exe
List all the NTFS permissions with all the groups (including global groups and local groups) on the server.
a. Double-click AccessEnum.exe.
b. Click "Directory…", you may select a directory (ex. D:\Users) or a partition (ex. D: partition) in the "Browse for folder" dialog box.
c. Click "Scan" button to enumerate all the NTFS permissions on the target directory or partition in the console.
d. After enumeration, you may click "Save" to save the report as a "NTFS.txt" file.
e. Open the "NTFS.txt" with Notepad.exe
f. In Notepad, click Edit, and click Find, you may input the group name "Domain users", and then click "Find next" to find the group.
g. In the way, you will also see the NTFS permission settings on both the local group and the global group.
If possible, please send the share.txt and NTFS.txt to tfwst@microsoft.com for further analysis.
Hope it helps.
This posting is provided "AS IS" with no warranties, and confers no rights.Hi gorejd,
I want to see if the information provided was helpful. Please keep us posted on your progress and let us know if you have any additional questions or concerns.
We are looking forward to your response.
This posting is provided "AS IS" with no warranties, and confers no rights.It looks like the User's folder is created by the Redirected My Doc GPO. This GPO setting in "Basic" mode creates the share for the user with some default perms and gives the user "exclusive rights". My guess is part of the Default perms that are getting created as each new users signs in and is the GPO creates their folder is the Domain Users are assigned Full Access. Any idea how I can modify the Default Perms created by the GPO on each share? I have verified that I can go remove Domain User's rights, but then I have to do it for every new user as they sign in for the first time and their share is auto created.
Thanks for the responses, I will use the tools above in the meantime.- See also the GP setting "Add the Administrators security group to roaming user profiles", under Computer\...\Administrative Templates\System\User Profiles.
Hello gorejd,
Based on my research, if there is no Domain User’s ACL entries on that parent folder D:\Users (which contains the redirected shared folder that is created by users when they logon the domain), and assumed that we have configured folder redirection group policy as the following condition, the "Domain Users" group should not have full access right to each user's redirected folder under the parent folder D:\Users.
Setting: Basic – Redirect everyone's folder to the same location
Target folder location: Create a folder for each user under the root path
Root Path: \\servername\Users
Grant the user exclusive rights to "My Documents".
We need to investigate the issue more in detailed, to help you troubleshoot the issue, please scan and list the NTFS security permission of D:\ and D:\Users by using AccessEnum utility, and then output it as NTFS.txt file.
AccessEnum v1.32
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
Meanwhile, please take screenshots of the Security setting of D:\, D:\Users and one user’s redirect folder under it.
You may also consider bnborg’s suggestion to check if that group policy setting has been enabled. You can run "gpresult /v > D:\gp.txt" to output the gpresult on that server.
Please send us the NTFS.txt file, screenshots and gp.txt to tfwst@microsoft.com
Any time and effort will be appreciated.
Thanks for your co-operation.
This posting is provided "AS IS" with no warranties, and confers no rights.- Označen jako odpověďDavid Shen - MSFTMSFT, Moderátor8. července 2009 6:17
