Bug in 2008 security?

I have several shares with permissions of Domain admins full control and
System special.

When staff try to access these folders they receive and access denied.
Which is great. However, I've found that these staff can right
click->properties->security tab and add them selves with full control. How
is this possible?

First question I would ask is why is your site going with "SYSTEM" on the
share permissions tab?

"JackH" <> wrote in message
news:...
>I have several shares with permissions of Domain admins full control and
>System special.
>
> When staff try to access these folders they receive and access denied.
> Which is great. However, I've found that these staff can right
> click->properties->security tab and add them selves with full control.
> How is this possible?
>

I believe because it is a DFS share? Is this not needed?


"neo" <> wrote in message
news:...
> First question I would ask is why is your site going with "SYSTEM" on the
> share permissions tab?
>
> "JackH" <> wrote in message
> news:...
>>I have several shares with permissions of Domain admins full control and
>>System special.
>>
>> When staff try to access these folders they receive and access denied.
>> Which is great. However, I've found that these staff can right
>> click->properties->security tab and add them selves with full control.
>> How is this possible?
>>
>

Not knowing exactly what you need from this share, my gut says....

On share permissions tab, no. On NTFS permissions tab, yes.

"JackH" <> wrote in message
news:...
>I believe because it is a DFS share? Is this not needed?
>
>
> "neo" <> wrote in message
> news:...
>> First question I would ask is why is your site going with "SYSTEM" on the
>> share permissions tab?
>>
>> "JackH" <> wrote in message
>> news:...
>>>I have several shares with permissions of Domain admins full control and
>>>System special.
>>>
>>> When staff try to access these folders they receive and access denied.
>>> Which is great. However, I've found that these staff can right
>>> click->properties->security tab and add them selves with full control.
>>> How is this possible?
>>>
>>
>
>

That's what I was referring to was the NTFS permissions.


"neo" <> wrote in message
news:%235ltt$...
> Not knowing exactly what you need from this share, my gut says....
>
> On share permissions tab, no. On NTFS permissions tab, yes.
>
> "JackH" <> wrote in message
> news:...
>>I believe because it is a DFS share? Is this not needed?
>>
>>
>> "neo" <> wrote in message
>> news:...
>>> First question I would ask is why is your site going with "SYSTEM" on
>>> the share permissions tab?
>>>
>>> "JackH" <> wrote in message
>>> news:...
>>>>I have several shares with permissions of Domain admins full control and
>>>>System special.
>>>>
>>>> When staff try to access these folders they receive and access denied.
>>>> Which is great. However, I've found that these staff can right
>>>> click->properties->security tab and add them selves with full control.
>>>> How is this possible?
>>>>
>>>
>>
>>
>

So, to summarize, permissions on the folder in question are:

administrators: FULL
system: special

With no permissions given to EVERYONE, Authenticated Users, or any other
trustee.

If that is the case, then your users would need to be administrators, which,
if they were, they would not need to grant themselves any further
permissions.

What, exactly, are the permissions on the NTFS folder that contains the
folders being shared?

/Al


"JackH" <> wrote in message
news:...
> That's what I was referring to was the NTFS permissions.
>
>
> "neo" <> wrote in message
> news:%235ltt$...
>> Not knowing exactly what you need from this share, my gut says....
>>
>> On share permissions tab, no. On NTFS permissions tab, yes.
>>
>> "JackH" <> wrote in message
>> news:...
>>>I believe because it is a DFS share? Is this not needed?
>>>
>>>
>>> "neo" <> wrote in message
>>> news:...
>>>> First question I would ask is why is your site going with "SYSTEM" on
>>>> the share permissions tab?
>>>>
>>>> "JackH" <> wrote in message
>>>> news:...
>>>>>I have several shares with permissions of Domain admins full control
>>>>>and System special.
>>>>>
>>>>> When staff try to access these folders they receive and access denied.
>>>>> Which is great. However, I've found that these staff can right
>>>>> click->properties->security tab and add them selves with full control.
>>>>> How is this possible?
>>>>>
>>>>
>>>
>>>
>>
>
>

Please post/review the share and ntfs permission on both dfs path and the
location it points to. One of them has something you don't expect.

"JackH" <> wrote in message
news:...
> That's what I was referring to was the NTFS permissions.
>
>
> "neo" <> wrote in message
> news:%235ltt$...
>> Not knowing exactly what you need from this share, my gut says....
>>
>> On share permissions tab, no. On NTFS permissions tab, yes.
>>
>> "JackH" <> wrote in message
>> news:...
>>>I believe because it is a DFS share? Is this not needed?
>>>
>>>
>>> "neo" <> wrote in message
>>> news:...
>>>> First question I would ask is why is your site going with "SYSTEM" on
>>>> the share permissions tab?
>>>>
>>>> "JackH" <> wrote in message
>>>> news:...
>>>>>I have several shares with permissions of Domain admins full control
>>>>>and System special.
>>>>>
>>>>> When staff try to access these folders they receive and access denied.
>>>>> Which is great. However, I've found that these staff can right
>>>>> click->properties->security tab and add them selves with full control.
>>>>> How is this possible?
>>>>>
>>>>
>>>
>>>
>>
>
>

Here they are:

Anyone in the Termed Staff security group should have read only permissions
to the following location. Folders within this, permissions are granted on
a per user basis. Folders within this location have the same security
listed below except the termed Staff security group is removed.
d:\dfsroots\Termed Staff
Administrators full control
Creator Owner special
Domain Admins full
System full
Termed Staff Read & Execute, list, read

Permissions are the same as above via the dfs.

I think I see what the issue may be. I've found that is
domain\administrators have access then all domain users have full control.
I have no idea why this is as domain users are not in the administrators
group.




"neo" <> wrote in message
news:%...
> Please post/review the share and ntfs permission on both dfs path and the
> location it points to. One of them has something you don't expect.
>
> "JackH" <> wrote in message
> news:...
>> That's what I was referring to was the NTFS permissions.
>>
>>
>> "neo" <> wrote in message
>> news:%235ltt$...
>>> Not knowing exactly what you need from this share, my gut says....
>>>
>>> On share permissions tab, no. On NTFS permissions tab, yes.
>>>
>>> "JackH" <> wrote in message
>>> news:...
>>>>I believe because it is a DFS share? Is this not needed?
>>>>
>>>>
>>>> "neo" <> wrote in message
>>>> news:...
>>>>> First question I would ask is why is your site going with "SYSTEM" on
>>>>> the share permissions tab?
>>>>>
>>>>> "JackH" <> wrote in message
>>>>> news:...
>>>>>>I have several shares with permissions of Domain admins full control
>>>>>>and System special.
>>>>>>
>>>>>> When staff try to access these folders they receive and access
>>>>>> denied. Which is great. However, I've found that these staff can
>>>>>> right click->properties->security tab and add them selves with full
>>>>>> control. How is this possible?
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>

In addition to my last response, where should I be updating permissions?


domain.local\share or
server\share

I would think either way would replicate itself.




"neo" <> wrote in message
news:%...
> Please post/review the share and ntfs permission on both dfs path and the
> location it points to. One of them has something you don't expect.
>
> "JackH" <> wrote in message
> news:...
>> That's what I was referring to was the NTFS permissions.
>>
>>
>> "neo" <> wrote in message
>> news:%235ltt$...
>>> Not knowing exactly what you need from this share, my gut says....
>>>
>>> On share permissions tab, no. On NTFS permissions tab, yes.
>>>
>>> "JackH" <> wrote in message
>>> news:...
>>>>I believe because it is a DFS share? Is this not needed?
>>>>
>>>>
>>>> "neo" <> wrote in message
>>>> news:...
>>>>> First question I would ask is why is your site going with "SYSTEM" on
>>>>> the share permissions tab?
>>>>>
>>>>> "JackH" <> wrote in message
>>>>> news:...
>>>>>>I have several shares with permissions of Domain admins full control
>>>>>>and System special.
>>>>>>
>>>>>> When staff try to access these folders they receive and access
>>>>>> denied. Which is great. However, I've found that these staff can
>>>>>> right click->properties->security tab and add them selves with full
>>>>>> control. How is this possible?
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>

I just blew one of my theories.

I have another dfs called Outlook Archives.
NTFS permissions on the dfs path on via local only has the following
permissions:

Domain Admins full
Domain users read and execute, list folder, and read
System full

Domain users are able to give themselves full permissions to folders within
this share.



"neo" <> wrote in message
news:%...
> Please post/review the share and ntfs permission on both dfs path and the
> location it points to. One of them has something you don't expect.
>
> "JackH" <> wrote in message
> news:...
>> That's what I was referring to was the NTFS permissions.
>>
>>
>> "neo" <> wrote in message
>> news:%235ltt$...
>>> Not knowing exactly what you need from this share, my gut says....
>>>
>>> On share permissions tab, no. On NTFS permissions tab, yes.
>>>
>>> "JackH" <> wrote in message
>>> news:...
>>>>I believe because it is a DFS share? Is this not needed?
>>>>
>>>>
>>>> "neo" <> wrote in message
>>>> news:...
>>>>> First question I would ask is why is your site going with "SYSTEM" on
>>>>> the share permissions tab?
>>>>>
>>>>> "JackH" <> wrote in message
>>>>> news:...
>>>>>>I have several shares with permissions of Domain admins full control
>>>>>>and System special.
>>>>>>
>>>>>> When staff try to access these folders they receive and access
>>>>>> denied. Which is great. However, I've found that these staff can
>>>>>> right click->properties->security tab and add them selves with full
>>>>>> control. How is this possible?
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>