Is this a bug in ntfs security or a feature?
Last few days, I was working on configuring secure home folders deployment, and finally i found a solution. I don't want to write it again here, I posted details on my blog. http://bit.ly/ntfsoverunc
As per my knowledge, NTFS permission works over share permission like follows (pl correct me, if i am wrong)
USERS
NTFS PERMISSION
SHARE PERMISSION
EFFECTIVE PERMISSION
USER A
R
R
R
USER A
F
R
R
USER A
R
F
R
USER A
F
F
F
USER A
F
N
N
USER A
N
F
N
What I have found is...
ROOT
----
|
|-A-HOME
In above tree, User A don't have any NTFS Permission, but have full permission on
A-HOME folder and user A have full share permission on ROOT share. If i am trying to access \\server\root , I am getting Access Denied error, which is ok, but if i am accessing \\server\root\a-home, I am able to access, and
I am having full permission on it. So, I don't understand how is it possible, coz, it's not following above table, it's actually bypassing NTFS permission.
So, is this a features or a BUG?
Right now this is actually helping me to achieve my goal.. :) but still i want to know..
Thanks
Saugata
March 25th, 2011 8:01am
Hello,
please post any acounts/security groups on the root level and A-home folder with the NTFS and Share permissions here, so we can rebuild this for testing.
Additional post the used OS version incl. SP/patch level.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2011 10:54am
Hi Meinolf,
Please find the details bellow:
Server OS : Windows 2003 STD SP2
ROOT LEVEL PERMISSION [NTFS]
Administrators - FULL PERMISSION
SYSTEM - FULL PERMISSION
CREATOR OWNER - FULL PERMISSION
ROOT LEVEL PERMISSION [SHARE]
Authenticated Users - FULL PERMISSION
SYSTEM - FULL PERMISSION
USER A Home Folder NTFS Permission [after adding \\server\share\%username% to users profile in AD, folder will create automatically with following permission]
Administrators - FULL PERMISSION
CREATOR OWNER - FULL PERMISSION
USER A - FULL PERMISSION
SYSTEM - FULL PERMISSION
Thanks
Saugata
March 25th, 2011 12:50pm
Hello,
IIRC the Authenticated users (share/full) use the Creator owner (root/full) to prepare the User folder in A-Home, this combined process runs behind the new creation of the user account in AD UC and adding the profile path.
This result in the listed permissions for the User folder.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2011 1:31pm
Hello,
IIRC the Authenticated users (share/full) use the Creator owner (root/full) to prepare the User folder in A-Home, this combined process runs behind the new creation of the user account in AD UC and adding the profile path.
This result in the listed permissions for the User folder.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Hi,
Not 100% clear to me, if authenticated users don't have ntfs permission on root folder, then how can they able to access their home folder, which is actually a subfolder of that root folder.
However I clearly understand the process of home folder creation from AD after clicking apply button, also I think SYSTEM full permission is not required to the root share as system itself members of authenticated users.Always take backup, before you made any changes.. :)
March 25th, 2011 2:03pm