0

Made a file share "Shares" on a folder directly under a hard drive (let's call it E:) in a Windows Server 2016 box. Server is part of the domain "domain.com".

Sharing permissions - Everyone:Full-Control.
NTFS permissions - Left the default permissions
(Meaning it has entries for SYSTEM, CREATOR OWNER, Administrators. I added domain admins too, which should be irrelevant for what follows.)

2 sub-folders of that share, share1 - NTFS permissions added: user1@domain.com (full control) share2 - NTFS permissions added: user2@domain.com (full control).

user1 and user2 are unprivileged users.

What I would expect in that setup is that user1 can view, edit, modify everything in share1, but he cannot view or even list the items in share2, much less edit them. And equivalent for user2.

However, what DOES happen is that both user1 and user2 can view and read every single folder and file in both share1 and share2. They cannot modify files, but they can read them. Yet I have not ever set any permission for them to do so. I do not want them to read files or even be able to enumerate them. If I run the "Effective Access" from the Advanced tab in the Security window, this gives exactly the same picture. It forbids modification but not Read.

What I noticed is that the default permissions for the hard drive E: itself include entries for LOCAL users:

servername\Users

And they have read/write and list etc permissions. And they inherit to every subfolder including share1 and share2

When I change the permissions of these local users directly on the hard drive to "this folder only", then the permissions are no longer inherited on all subfolders.

AND THEN THE SHARING BEHAVES AS I WOULD HAVE EXPECTED IT:

  • User1 can view/edit files in share1 but cannot see share2.
  • User2 can view/edit files in share2 but cannot see share1.

So after this lengthy introduction, here is my question:

How come that LOCAL user account somehow interfere with the permissions of specifically named domain users?

It is as if the domain users get "mapped" to the local user group "servername\Users", but does this make any sense? Or is there something else going on here?

nepdev
  • 391
  • 1
  • 7
  • 21
  • Please post the effective right of share1 and share2. There is something not set correctly – yagmoth555 Jun 02 '22 at 18:50
  • 1
    The local Users group contains the Authenticated Users identity by default I believe. You have to validate your share/folder permissions when configured. Also there are some rather open folder permissions on the root of drives unless changed. It sounds like no-one bothered checking this until now. – Greg Askew Jun 02 '22 at 19:37
  • @yagmoth555: The effective permissions on the share show exactly the same as what I describe - user1 can read/write both shares, same for user2. My point is that by ONLY removing the LOCAL user group "Users" those permissions work as I would expect - so the Read/Write privilege for domain users is factually inherited from the Local\Users group - which makes no sense to me. – nepdev Jun 07 '22 at 11:41
  • @GregAskew: thanks - this pointed me in the right direction. – nepdev Jun 07 '22 at 11:44

1 Answers1

0

Found the answer.

Factually, BY DEFAULT in Windows 10, the group "MyDomain\Domain Users" gets added to the Local Users group automatically, as soon as the computer joins a domain.

This is a tripwire of magnitude - local users are, security-wise, a completely different thing than domain users.

Why Microsoft made the decision to identify the two is not comprehensible.

nepdev
  • 391
  • 1
  • 7
  • 21