2

On my server, the IUSR_MYSERVER account has write access to some directories. I know this because if you check effective permissions, it says it can "Create Files / Write Data" and "Create Folders / Append Data". The trouble is, if I go look at permissions that are defined, the IUSR_MYSERVER account only had Read & Execute permissions, and nothing more.

This account isn't a member of any groups. What are some things I can check to determine how this account has access to write to files?

Edit: Here is a list of permissions defined for the directory:

Allow   Domain Users (MYDOMAIN\Domain Users)    Read & Execute
Allow   CMS Account (Specific account from our CMS that uploads content)    Modify
Allow   Internet Guest Account (MYSERVER\IUSER_MYSERVER)    Read & Execute
Allow   Launch IIS Process Account (MYSERVER\IWAM_MYSERVER) Read & Execute
Allow   Web Group (MYDOMAIN\Web Group) (This is a group of users who work on the website)   Modify
Allow   Administrators (MYSERVER\Administrators)    Full Control
Allow   CREATOR OWNER   Full Control
Allow   SYSTEM  Full Control
Allow   Users (MYSERVER\Users)  Special (Allowed: Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Create Files / Write Data, Create Folders / Append Data, Read Permissions  Denied:  None)
Allow   users (MYSERVER\Users)  Read & Execute
Brad
  • 1,419
  • 22
  • 43

3 Answers3

3

An account doesn't necessarily have to be a member of groups to pick up permissions that aren't specifically defined; the Authenticated Users and Pre-Windows 2000 Compatible Access groups are a couple common examples.

If you can post the permissions list for the directory, stripping out any private info, that may help to find the source.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • I have edited my post with a list of permissions. I don't see anything that could be the source of trouble. Would you mind taking a look? – Brad Mar 25 '11 at 16:10
  • 2
    @Brad By default, `Authenticated Users` is a member of `Users`. That's likely granting the rights in question. – Shane Madden Mar 25 '11 at 16:30
3

Accounts are always members of some groups. In windows these are referred to as implicit groups or identities. Some examples of this are everyone, self ,interactive, authenticated users. For 2003 the list of what they are and what they contain can be found here, for 2008 and above the list can be found here

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • Thanks for those links, that is most helpful. However, none of these implicit groups seem to apply here. I have posted a list of permissions for the folder in question. Would you mind taking a look? – Brad Mar 25 '11 at 16:10
0

The account is in "Users", which has the rights you say you're confused by.

mfinni
  • 36,144
  • 4
  • 53
  • 86