Fire Shares inheriting perms from unknown location

Fri, 26 Jun 2009 16:06:57 Z

I have redirected My Docs setup and was alarmed to find that some how Domain Users was inheriting Full Access rights to each users folder. The advanced button lists the Domain Users rights coming from the D:\Users share, but on the perms of D:\users there is no sign of Domain Users and under the effective perms tool Domain Users is not listed at all with perms to D:\Users. I can go remove them one at a time, but new users folders get the Domain Users Full Access tacked on inheriting from somewhere. Ideas where I can find where it's coming from?

Fire Shares inheriting perms from unknown location

Fri, 26 Jun 2009 20:46:20 Z

Hello,
Issue mostly likely caming from D:\ drive since it is the root drive. Look at the sucurity configurations on the D drive, select Advanced uncheck propagating to folders and subfolders.

Isaac Oben MCITP:EA, MCSE

Fire Shares inheriting perms from unknown location

Fri, 26 Jun 2009 20:59:48 Z

There are no perms on D:\ set to propagate and Domain Users is not on there and has no effective perms on D:\. Can't find where in the heck it's coming from.

Fire Shares inheriting perms from unknown location

Mon, 29 Jun 2009 08:23:16 Z

Hello gorejd,

To trace down where the permissions comes from, We can use ShareEnum and AccessEunm utility on that server which holds the D:\User shared folder.

By using these 2 utilities, we can view all the Share and NTFS security settings on the file share.

ShareEnum:

"Since there are no built-in tools to list shares viewable on a network and their security settings, but ShareEnum fills the void and allows you to lock down file shares in your network. When you run ShareEnum it uses NetBIOS enumeration to scan all the computers within the domains accessible to it, showing file and print shares and their security settings. You may simply view share permission settings with security descriptors in the ShareEnum console. ShareEnum is most effective when you run it with a domain administrator account."

AccessEnum:

"Since there's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary. You may simply view the NTFS security settings with security descriptors in the AccessEnum console."

Here are some detailed steps, which may helpful for you.

1. Download ShareEnum and AccessEnum from the following links.

ShareEnum v1.6

http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx

ShareEnum utility can clearly list all the Share permissions with all the groups (including global groups and local groups) on the server.

AccessEnum v1.32

http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

AccessEnum utility can clearly list all the NTFS permissions with all the groups (including global groups and local groups) on the server.

2. Copy ShareEnum and AccessEnum utility to the problematic server.

3. Usage of ShareEnum.exe

List all the share permissions with all the groups (including global groups and local groups) on the server.

a. Double-click ShareEnum.exe.

b. On the drop list of "ShareEnum displays security information on all shares accessible with the selected domain", select the domain that you want to list share permission.

c. Click "Refresh" button to list all the Share path and Share permission in the console.

d. Click "Export…" to save the report as a "share.txt" file.

e. Open the "share.txt" with Notepad.exe

f. In Notepad, click Edit, and click Find, you may input the group name "Domain users", and then click "Find next" to find the group.

g. In the way, you will see the Share permission settings on both the local group and the global group.

4. Usage of AccessEnum.exe

List all the NTFS permissions with all the groups (including global groups and local groups) on the server.

a. Double-click AccessEnum.exe.

b. Click "Directory…", you may select a directory (ex. D:\Users) or a partition (ex. D: partition) in the "Browse for folder" dialog box.

c. Click "Scan" button to enumerate all the NTFS permissions on the target directory or partition in the console.

d. After enumeration, you may click "Save" to save the report as a "NTFS.txt" file.

e. Open the "NTFS.txt" with Notepad.exe

f. In Notepad, click Edit, and click Find, you may input the group name "Domain users", and then click "Find next" to find the group.

g. In the way, you will also see the NTFS permission settings on both the local group and the global group.

If possible, please send the share.txt and NTFS.txt to tfwst@microsoft.com for further analysis.

Hope it helps.

This posting is provided "AS IS" with no warranties, and confers no rights.

Fire Shares inheriting perms from unknown location

Thu, 02 Jul 2009 01:56:48 Z

Hi gorejd,

I want to see if the information provided was helpful. Please keep us posted on your progress and let us know if you have any additional questions or concerns.

We are looking forward to your response.

This posting is provided "AS IS" with no warranties, and confers no rights.

Fire Shares inheriting perms from unknown location

Thu, 02 Jul 2009 02:51:50 Z

It looks like the User's folder is created by the Redirected My Doc GPO. This GPO setting in "Basic" mode creates the share for the user with some default perms and gives the user "exclusive rights". My guess is part of the Default perms that are getting created as each new users signs in and is the GPO creates their folder is the Domain Users are assigned Full Access. Any idea how I can modify the Default Perms created by the GPO on each share? I have verified that I can go remove Domain User's rights, but then I have to do it for every new user as they sign in for the first time and their share is auto created.

Thanks for the responses, I will use the tools above in the meantime.

Fire Shares inheriting perms from unknown location

Thu, 02 Jul 2009 03:12:08 Z

See also the GP setting "Add the Administrators security group to roaming user profiles", under Computer\...\Administrative Templates\System\User Profiles.

Fire Shares inheriting perms from unknown location

Fri, 03 Jul 2009 06:06:33 Z

Hello gorejd,

Based on my research, if there is no Domain User’s ACL entries on that parent folder D:\Users (which contains the redirected shared folder that is created by users when they logon the domain), and assumed that we have configured folder redirection group policy as the following condition, the "Domain Users" group should not have full access right to each user's redirected folder under the parent folder D:\Users.

Setting: Basic – Redirect everyone's folder to the same location

Target folder location: Create a folder for each user under the root path

Root Path: \\servername\Users

Grant the user exclusive rights to "My Documents".

We need to investigate the issue more in detailed, to help you troubleshoot the issue, please scan and list the NTFS security permission of D:\ and D:\Users by using AccessEnum utility, and then output it as NTFS.txt file.

AccessEnum v1.32

http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

Meanwhile, please take screenshots of the Security setting of D:\, D:\Users and one user’s redirect folder under it.

You may also consider bnborg’s suggestion to check if that group policy setting has been enabled. You can run "gpresult /v > D:\gp.txt" to output the gpresult on that server.

Please send us the NTFS.txt file, screenshots and gp.txt to tfwst@microsoft.com

Any time and effort will be appreciated.

Thanks for your co-operation.

This posting is provided "AS IS" with no warranties, and confers no rights.