I apologize in advance, but I am new to windows 2012 and haven't found the answers online. After migrating shares to Windows Server 2012 we are discovering that all domain users have read/write access. This appears to be because:
- We grant share Full Control to everyone, intending that the NTFS security permissions will control folder/file access.
- At the root of each drive on the servers the local users group is granted ntfs read-only + special permissions of Create files / write data and Create folders / append data, and that this is inherited by all subfolders.
- The local users group contains the domain users group.
- When we copied over the share data the default permissions weren't evaluated, but assumed not be this generous.
I have looked for a listing of the default permissions in a new ntfs file system, but haven't found them documented. I have also looked for and failed to find a best practice guide covering share setup that also points out that these permissions exist.
I could fix it by breaking inheritance and then not allowing the local users permission to be inherited, but I would prefer to change it at the root level of the drive, or by possibly changing the deployment image to not grant them. But I also don't want to break anything by doing this.
So my questions are:
- Is this the default Windows 2012 ntfs permission for the local users group?
- If so, would somebody explain why?
- If not, what are the default 2012 permissions for the local users group?
- Assuming that this is the default, where can I find the best practice process to address this?
Thanks in advance for your help,
Paul