Everyone take ownership

  • Thread starter Thread starter AnttiH
  • Start date Start date
A

AnttiH

Hi,
we have a network share. I change its permissions so only GROUPA and
GROUPB have Full Control, no other entries. However, someone who is not
in GROUPA or GROUPB can claim Ownership of the folder. He does not have
read access or anything like I want it, but taking ownership nulls and
voids everything.

What is causing this? Windows Default for everyone is "Take Ownership"??

Regards,
Antti H
 
AnttiH said:
Hi,
we have a network share. I change its permissions so only GROUPA and
GROUPB have Full Control, no other entries. However, someone who is not
in GROUPA or GROUPB can claim Ownership of the folder. He does not have
read access or anything like I want it, but taking ownership nulls and
voids everything.

What is causing this? Windows Default for everyone is "Take Ownership"??

Regards,
Antti H
Click to expand...
Looks like the permission is inherited from the parent folder. Very odd.

Is it not possible to define a folder on a drive that only certain
people can access, no matter who owns the parent?

Antti H
 
In your initial posting you spoke of share permissions, which
are found with the Permission button on the Sharing tab in the
properties of a folder. It is now apparent that you are speaking
of the NTFS permissions of the folder.

Yes, defining a folder to have just a specific, intended set
of NTFS permissions is possible. Uncheck the box in the
NTFS Security dialog that indicates the folder is allowed
to inherit from its parent folder. Also, use the Advanced
tab to see whether there are any grants or denies that are
special and being masked from view in the generic permission
view of the settings.
 
Roger said:
In your initial posting you spoke of share permissions, which
are found with the Permission button on the Sharing tab in the
properties of a folder. It is now apparent that you are speaking
of the NTFS permissions of the folder.

Yes, defining a folder to have just a specific, intended set
of NTFS permissions is possible. Uncheck the box in the
NTFS Security dialog that indicates the folder is allowed
to inherit from its parent folder. Also, use the Advanced
tab to see whether there are any grants or denies that are
special and being masked from view in the generic permission
view of the settings.
Click to expand...

Thanks for your response.
The folder in question is shared over network, but apparently NTFS
permissions are affecting it. It is shared from W2000 Server. I have no
further detail of this, I can click properties for the folder then
security tab and there.

There are no Advanced permissions besides the ones that I have set in
the "generic" permissions page.
What does the last "Effective Permissions" mean? When I select a group
from our AD with the select.. button they have NO "Effective
Permissions", but when I select a certain user, he has all permissions,
even though he is NOT listed on any of the permissions tabs?

This person used to be in a group which had permission into the folder,
can this be cached somehow?

Cheers,

AnttiH
 
AnttiH said:
It is shared from W2000 Server. I have no
further detail of this, I can click properties for the folder then
security tab and there.
Click to expand...

To clarify, the folder is on a mapped drive.

AnttiH
 
The share permissions are viewed/set when using an admin
interface on the machine that is sharing-out (or with a remote
tool allowing the same).

After the drive is mapped one sees the NTFS permissions as
these have been set on the actual storage.

An account will have access to the extent NTFS permissions
are granted (and not denied) directly to the account and/or to
any group in which the account is a member, but when the
access is over the network the account will have these only
to the extent that they do not exceed the share level permissons
granted and not denied to the account. The share level permissions
will never increase permissions beyond what is within the NTFS
permissions, they will only allow all the NTFS grants less denies
or the share level permissions might reduce these.

The effective permissions tab will show what access would
be allowed to a principal due to the existing grants and denies
but, as the description states, this only considers direct group
memberships - so long chains of group nesting and share level
permissions imposed on a then current mapping are not taken
into account.

If the permissions are inherited from the parent folder, and
you have access only to the share as a mapped drive then
there is no real way for you to affect what is being inherited.

As you have said that only GroupA and GroupB have any
grants to them, and there are no other grants showing only
in the Advanced view, then we have something of a mystery.

Can you open a cmd prompt and issue
cacls X: > c:\perms.txt
where X: is the letter to which the share has been mapped
and c:\perms.txt is any file to which you want the output
redirected. The content of this file will have all NTFS
setting in effect on the mapped folder.

In order to Take ownership and account would need to
either be in GroupA or GroupB (which have grants of Full)
based on what you have said, that there are no other grants.
Posting here the results stored into that c:\perms.txt file
would help us verify that this is so.
 
In a machine's default, as installed, condition any member of
the Administrators group can take ownership of anything in
the NTFS filesystem.
If the accounts taking ownership are not logging into the
machine that is source of the share as admins, then the info
in the other posting I have just made applies.
 
Roger said:
Can you open a cmd prompt and issue
cacls X: > c:\perms.txt
where X: is the letter to which the share has been mapped
and c:\perms.txt is any file to which you want the output
redirected. The content of this file will have all NTFS
setting in effect on the mapped folder.

In order to Take ownership and account would need to
either be in GroupA or GroupB (which have grants of Full)
based on what you have said, that there are no other grants.
Posting here the results stored into that c:\perms.txt file
would help us verify that this is so.
Click to expand...

Hi.


This is cacls H:\FOLDER, which is the folder we want to make secure.
H:\FOLDER BUILTIN\Administrators:(OI)(CI)F
domain\groupA:(OI)(CI)F
domain\groupB:(OI)(CI)F

The person who "has permission to take ownership" is NOT in any of these
groups. Not inherited or anything. The person however has Full Control
on the H:\ -drive.

Hope this helps,
AnttiH
 
Looks OK. The person you mention (meaning one of the accounts that
they can use, that shows up as owner) is not a member of Administrators
group on the machine where H: is native (shared-from) ?
You are sure that they are changing an object that pre-existed with
different settings (as compared to looking at a newly created object) ?
Finally, you know that they are not in a group that is in any of the
three named groups? and that they do not have the power to add
themselves (temporarily) to one?
Otherwise, from all you have said they should not be able to do
what you have been reporting.
 
AnttiH,

Just for completeness, please verify that on the involved machines
the security policy setting in the User Right section of the Computer
Security policy section the User Right to Take Ownership of objects
is still set at the default of only naming Administrators group.
 
Back
Top