User able to create folders on network drive he had no permission

Hi all,

We have had a strange case where a user who has just had a new PC setup for
him on the network was able to create files and folders on a network drive he
should only have had read access to.

The PC was setup using a domain admin account (I know, probably not the best
idea but thats not the point). The user called me to ask if it was ok for him
to create a folder on the network drive and for me to assign permissions to
specific groups. I watched as he created the folder and renamed it. Neither
of which he had permissions to do according to NTFS permissions. Checking the
effective permissions tab on the folder still said he didnt have access to
create it. Whats more, logging in as his account I could browse to other
users personal share and do whatever I liked on them. I tested his account on
another machine and he got access denied to the folders I was using to test,
so it was something specific to the new PC.

We removed all permissions to the folder we were testing with except domain
admins, and with his account on the effected PC he was still able to create
folders etc. Removing all permissions including domain admins and replacing
with another group gave access denied.

To fix the problem I copied his profile on the machine to another users
profile and deleted it, logged back in again as him then copied the profile
back. This gave him the proper permissions to the network drive, eg access
denied when trying to create files etc.

It seems as if one of the pieces of software (perhaps installed as the
domain admin user) was somehow impersonating the domain admin who first set
it up. Which piece of software I dont know, like I say the problem went away
as soon as I removed and replaced his profile.

Has anyone seen anything like this before?

Thanks,
Greg

.

Relevant Pages

  • Re: XP Home: selective folder sharing
    ... Adding Test made no difference for sharing the Test folder in XP Safe Mode. ... In Control Panel/Network on the 98SE machine, I found the network login set ... click the Permissions button to ...
    (microsoft.public.windowsxp.network_web)
  • Re: User able to create folders on network drive he had no permission
    ... setup for him on the network was able to create files and folders on ... a network drive he should only have had read access to. ... The PC was setup using a domain admin account (I know, ... difference with the *user* permissions on the network. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How do I add a network user to the security permissions on a shared XP folder?
    ... can't figure out what way to setup the permissions. ... user account on the fileserver computer with the same name as my own ... allowed them to list folder contents only. ... Next I allowed the NETWORK ...
    (microsoft.public.windows.server.networking)
  • Re: Security and Sharing
    ... When they are logged in locally only the filesystem permissions are needed. ... When they access over the network they can do anything that the filesystem ... If you want then to be able to read files and browse the folder structure ...
    (microsoft.public.security)
  • Re: My F#@!&$% Network Problem Possibly Solved
    ... The kind of features Pro adds were not things I perceived as ... permissions for shared folders are usually set in two separate ... folder, choosing properties, going to the sharing tab and clicking ... "Allow network users to change my files." ...
    (rec.audio.pro)