1

On server1 I have E:\data\ that contains the home folders and shared department folders in it. Everyone has full share rights, then the rights are restricted appropriately through NTFS permissions.

When I connect to the share \\server1\data\ from a test user, everything works correctly and shows up as it should.

So then I set up a replication group to replicate E:\data from server1 to server2 E:\data. I wait about 10 minutes or so and see that everything has been replicated correctly. E:\data on server2 has everything, and the NTFS permissions are there. So it's copying the NTFS permissions from server1 correctly, or so it appears.

I then share server2 E:\data - the same way I did with server1 - everyone has full control. With the NTFS permissions restricting what they can see.

The problem is that when the same test user, connects to the share \\server2\data, for some reason the test user can see and has full rights to everything... even though I verified that E:\data on server2 has the correct NTFS permissions, replicated from server1.

So basically, on the second server, even though it appears everything is replicating correctly, the permissions aren't working. It's like they're there but aren't being used somehow?

Here is a screenshot of a folder where the user shouldn't have access: enter image description here

pauska
  • 19,620
  • 5
  • 57
  • 75
Jeremy
  • 13
  • 2

1 Answers1

3

I'm suspecting that you don't have Access-Based Enumeration enabled on the secondary server, and this gives you the notion of the users having full access to everything. DFS-R does replicate the NTFS settings over (unless you muck around with NTFS settings on the primary folder BEFORE syncing).

ABE is something you normally only configure on the DFS share, as users are pointed against those instead of directly accessing a server.

Please check the following setting: enter image description here

EDIT after a longer comment discussion below

The local Users group have access to the folder, which also grants "Domain Users" access to it (they're joined).

pauska
  • 19,620
  • 5
  • 57
  • 75
  • ABE is enabled for the entire namespace through the DFS Management utility, but I also went to the share on server2 and enabled ABE there as well. Seemed to have no affect. But also, it's not just that they can see everything. This test user should have 0 rights to a certain folder, but I can rename it, delete it, create new things inside of it... – Jeremy Feb 06 '14 at 14:01
  • @Jeremy are you using creator owner on these shares? If so, check the owner of the folder(s) – pauska Feb 06 '14 at 14:08
  • the creator owner permission is still in there yes, I didn't remove it. But I verified that the owner on all of these folders is the local server1\administrator account. – Jeremy Feb 06 '14 at 14:13
  • @Jeremy this really doesn't make any sense.. can you provide a screenshot of the advanced NTFS rights on one of the folders where the user shouldn't have access? – pauska Feb 06 '14 at 15:25
  • Sure - I don't know how to embed the picture but here's a [link](http://imgur.com/bz8G3MH).........So in this picture, the user in question is not in either the jsab_ins_speced group nor is she in the services_jsabadmin group. But she can still access it via \\server2\data and has full rights to it. – Jeremy Feb 06 '14 at 15:48
  • @Jeremy You have the "Users" group on that NTFS object. It means that any local or domain user have access.. – pauska Feb 06 '14 at 15:58
  • But that is the local\users group on the server, not the domain users. DFSSTARKEY is the server name. Wouldn't that only apply if the user logged in locally to the server? – Jeremy Feb 06 '14 at 16:10
  • I am making the change to see if that works. Maybe I'm not understanding it correctly. – Jeremy Feb 06 '14 at 16:11
  • Wow... that fixed the problem. I cannot thank you enough for your help. This had me scratching my head for two days now. I am confused by how a local user right is affecting someone that's connecting to a share? – Jeremy Feb 06 '14 at 16:19
  • 1
    @Jeremy Domain Users is a member of the local "Users" group on domain-joined clients/servers. Same goes for the Administrators group. – pauska Feb 06 '14 at 17:14