locked
NTFS Permissions being added for logged on user RRS feed

  • Question

  • Is there a way to prevent NTFS Permissions from being automatically added to a restricted folder?

    Here is an example:  We have an audit folder where Administrators have Read,list folder contents, Auditors have Full Control and System has full Control.

    When I navigate to the folder, my user account is automatically added to the NTFS Permissions with Full Control, when Administrators only have Read and list folder contents.

    NTFS Permissions should not be automatically added for anyone, they should be manually added. 

    We failed a security audit, due to Windows automatically adding permissions that gave the user more permissions that they are authorized. 

    Thanks.

    DJ

    Wednesday, May 11, 2016 12:21 PM

Answers

  • Jay,

    At first the owner was the Administrator, and we changed it to be our Auditors group.  Even at Administrator we were being prompted.

    May have figured out the problem.  It may be related to the UAC and the registry setting LocalAccountTokenPolicy.  We added our Custom Administrators group to the ACLs, and it and the UAC prompting appears to stopped, and users are no longer being added to the folder/files acls with Full Control.

    Will continue to monitor and update thread when testing is complete.

    DJ

    • Proposed as answer by Jay Gu Monday, May 30, 2016 6:04 AM
    • Marked as answer by Jay Gu Tuesday, June 7, 2016 3:09 AM
    Friday, May 20, 2016 10:03 AM

All replies

  • Hi DJ,

    Did you configure the NTFS permission on the folder of the parent folder and enable the inheritance?

    Or the user is member of a group and the group have the NTFS permission.

    Another possibility is you have a script for adding the NTFS permission on the folder.

    For audit the NTFS permission for folders and files, you could run the script which is provided by the article below.

    PowerShell: NTFS Permission Auditor For Folders and Files

    https://gallery.technet.microsoft.com/scriptcenter/PowerShell-NTFS-Permission-59c03872#content

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 12, 2016 6:58 AM
  • Thanks for the reply.

    The user belongs to the Administrators group which has Read, and list folder permissions.  The folder is a child of the root folder which has restricted rights as well. 

    When the user accesses the folder, the UAC pop is shown.  Once the UAC popup is acknowledged the user can see and list the files.  When you check the permissions on the folder and files the user that just access the folder has been granted full control for the folder and files.

    The permissions get applied whether or not inheritance is enabled or not.

    DJ

    Thursday, May 12, 2016 10:26 AM
  • Hi DJ,

    The UAC pop shows and require administrator authentication, right?

    if you type administrator and password, it promote the user with administrator permission to access the folder.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 17, 2016 7:27 AM
  • Jay,

    The user is an Administrative user, and the user already has access to the folder.  UAC shouldn't be prompted at all.  But it is, and it's after acknowledging UAC that the user is granted full permissions to the Read only folder.

    DJ

    Tuesday, May 17, 2016 9:42 AM
  • Hi DJ,

    Is the administrator owner of the folder?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 20, 2016 6:12 AM
  • Jay,

    At first the owner was the Administrator, and we changed it to be our Auditors group.  Even at Administrator we were being prompted.

    May have figured out the problem.  It may be related to the UAC and the registry setting LocalAccountTokenPolicy.  We added our Custom Administrators group to the ACLs, and it and the UAC prompting appears to stopped, and users are no longer being added to the folder/files acls with Full Control.

    Will continue to monitor and update thread when testing is complete.

    DJ

    • Proposed as answer by Jay Gu Monday, May 30, 2016 6:04 AM
    • Marked as answer by Jay Gu Tuesday, June 7, 2016 3:09 AM
    Friday, May 20, 2016 10:03 AM