Group security

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We have a file server (SRV1) that most of our data is on. The group Everyone
has r/w access to most of the folders with inheritance turned on. Currently,
named users have access to specific folders (SRV1\Data\IT) to grant them
read/write access.

We'd like to get away from granting access by named user and switch to using
groups. The problem I'm running into is Windows grants the most restrictive
policy when a user belongs to 2 groups. So, if Everyone has read access to
the IT folder, but the group IT should have read/write, the user ends up with
read only access.

We'd like to make this transition transparent to our users, so taking away
the Everyone group could be problematic. Are there any reports/tools to tell
which users have accessed certain folders or a way around this conflict
between the Everyone group and other named groups?

Thanks!

Kelly
 
Actually Windows will grant a user the most permissive permission when they
are a member of multiple groups for NTFS or share permissions. The exception
is that when a user has deny access based on group membership this can trump
any allow permissions. Also if both share and folder/NTFS permissions apply
to a user then the most restrictive of those two permissions will prevail
which is what you may be experiencing. In other works is a user has read
permissions to a share and full control permissions to the folder via NTFS
permissions the user will only have read/list/execute to the folder over the
network because the share permissions are more restrictive than the NTFS
permissions.

When possible try to configure permissions without using deny keeping in
mind that the lack of permission is an implicit deny. Also when you are
configuring permissions be sure to logoff and logon again as the user if
group membership was changed for that user to refresh the user's access
token which contains the groups the user is a member of. The support tool
whoami can show the current groups that a logged on user is a member of in
the access token if you have any question on that. --- Steve
 
We leave the share permissions as the default of Everyone - Full Control and
restrict access through the NTFS permissions. Also, we don't use the deny
permissions.

Windows definitely is not giving the most permissive access if the user is
part of 2 named groups. It's giving the most restrictive access.
 
It doesn't work that way, never has and I have been doing this a long time.
Something else is going on, you need to figure it out.

I would start by verifying that the security token contains the groups that you
think it does. Most likely it doesn't, either due to a scope issue or someone
didn't log off and log back on after being added to a group.

joe
 
It sounds like the users security token does not have the correct group
membership. Use whoami /groups to verify if it does or not. If not then it
is possible that changes to the domain global group have not propagated to
the domain controller used to authenticate the user. --- Steve
 
I did some more testing - created a couple of test users, groups and a new
directory. Those all worked fine. Then, I stopped inheritance on one of my
problem folders (copying the permissions), applied the changes, reapplied
inheritance and permissions are working as expected. Thanks for your help!

Kelly
 
Back
Top