Re: User able to create folders on network drive he had no permission
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Jan 2009 09:38:31 -0500
Greg <Greg@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi all,
We have had a strange case where a user who has just had a new PC
setup for him on the network was able to create files and folders on
a network drive he should only have had read access to.
The PC was setup using a domain admin account (I know, probably not
the best idea but thats not the point).
What does "set up" mean? If you joined the domain, installed software as an
admin (domain or otherwise), it wouldn't make any difference with the *user*
permissions on the network.
The user called me to ask if
it was ok for him to create a folder on the network drive and for me
to assign permissions to specific groups. I watched as he created the
folder and renamed it. Neither of which he had permissions to do
according to NTFS permissions. Checking the effective permissions tab
on the folder still said he didnt have access to create it. Whats
more, logging in as his account I could browse to other users
personal share and do whatever I liked on them. I tested his account
on another machine and he got access denied to the folders I was
using to test, so it was something specific to the new PC.
We removed all permissions to the folder we were testing with except
domain admins, and with his account on the effected PC he was still
able to create folders etc. Removing all permissions including domain
admins and replacing with another group gave access denied.
To fix the problem I copied his profile on the machine to another
users profile and deleted it, logged back in again as him then copied
the profile back. This gave him the proper permissions to the network
drive, eg access denied when trying to create files etc.
It seems as if one of the pieces of software (perhaps installed as the
domain admin user) was somehow impersonating the domain admin who
first set it up. Which piece of software I dont know, like I say the
problem went away as soon as I removed and replaced his profile.
Has anyone seen anything like this before?
Thanks,
Greg
There's no way your having installed software as User X would affect User
Y's network permissions. However, if you had perhaps connected to a network
share as an administrator *while* the user was logged in under his own
account, he would be
connected to that shared resource using the administrator's credentials and
could do whatever he liked. That's all I can think of.
In your login script, presuming you use a batch file, I'd do something like
this:
net use * /del
net use x: \\server\share /persistent:no
net use y: \\server\share /persistent: no
.
- References:
- Prev by Date: Re: Defrag won't work
- Next by Date: RE: User able to create folders on network drive he had no permission
- Previous by thread: User able to create folders on network drive he had no permission
- Next by thread: RE: User able to create folders on network drive he had no permission
- Index(es):
Relevant Pages
|
