I don't get NTFS permissions

Results 1 to 1 of 1
  1. #1
    (oO (||||) (||||) Oo) jM2.me is offline
    Alpha MaleRank
    Aug 2009 Join Date
    USA (Fuck Yeah)Location

    I don't get NTFS permissions

    I have been playing with NTFS permissions on a shared folder, we will call it UserFolder. It has inheritance disable, local administrators group is the owner, and following permissions are set:
    • local administrators group has full control to this folder, subfolders, and files
    • system has full control to this folder, subfolders, and files
    • creator owner has full control to subfolders and files only
    • everyone has special permissions to list folders/read data, read attributes, read extended attributes, create folders/append data, and read permissions. Applies to this folder only
    • Ninja Administrators group has full control this folder, subfolders, and files

    Great! Now anyone with access to this folder, through share or locally, can create their own folder in this folder or share (again, depending how it is accessed). Other users should not have access to other folders unless they are in local administrators group or in ninja administrators group. That does not seem to be the case, however, and when a member of local administrators group, ninja administrators group, or member of both of those groups tries to access someone else's folder he/she must specifically add their account to that folder and only then access the folder. If user is a member of those groups the in latest windows he will get a prompt to access someone else's folder and after clicking continue will get access. One caveat tho, in permissions for someone else's there is explicit permission for other administrator users that looked into a folder.

    I was under impression that since a user is a member of local administrators group or ninja administrators group then he should be able to have full control of those folders created by other users without having to explicitly add his account to their folders.

    Small office I work is a mess when it comes to file sharing. Everything is shared with everyone, and everything and everyone is on the same network. They are setup with active directory, so that will help with re-configuring shares.

    One requirement is to have a share where everyone with access to it can create their own folder, for their own work files. Then just in case of person quits or someone else has to access those files in a rush, say a manager, then he must be able to get into that folder with his own administrator account. With what I described above, he will be able to, but that will leave a trace and if his administrator account is later removed from administrator group then he will still be able to access to other's folders because he accessed them before and permission for his account were added explicitly.

    P.S. It is a bit odd setup, and I have no control over it, but every employee has a user account, which is just a regular user account. Plus he/she get's own administrator account in case a weird program we use needs an update with administrator account (which happens daily). Some fucks like to abuse those administrator accounts and in my time with the company I have seen couple get their administrator account removed from administrators group but accounts not disabled. Again I don't know why accounts aren't disabled, but it probably has to do with this weird software. Once you launch it with own administrator account it updates and then employee just keeps using the software running under his own administrator account. Software then creates files and whatnot, and as you might have guessed files created are under each users own administrator account unless after each update software is closed and opened again without need for an update so just a regular user account is used.