Home / server / Questions / 773501
Accepted
bjoster
Asked: 2016-04-28 23:39:29 +0800 CST

NTFS: User can edit/delete files without rights

  • 772

I have a very strange NTFS rights phenomenon on a fileserver and I cannot find my mistake, pulling my hair out for hours now. What am I missing?

My goal is:

  • User from Group-A should be able to write new files/foldes into a folder ("add files"). They should also be able to edit those newly added files.
  • At night the newly added files should be "protected" from further editing/deleting by Group-A. The right to read the files and the right to add more new files should remain.

Here is what I did:

  • Create Group-A, add users
  • Give Group-A (F)ull access to the folder
  • Create a script that
    • deletes the inheritance bit of the files in the folder
    • removes (F)ull access to the files, leavinf read-only rights

The problem is, my user(s) can edit and delete files like they have full access. Even if the 'effective permissions' show no right to edit, the still can.

The script works fine and looks like this:

icacls d:\folder\Bild1.jpg /inheritance:d
icacls d:\folder\Bild1.jpg /remove:g Group-A"

After the script has run, The NTFS permission on file.jpg looks like this (looks correct to me): NTFS Rights on File

So does the icacls output:

d:\folder>icacls Bild1.jpg
Bild1.jpg WM\DomainAdmin:(F)
          WM\Domänen-Admins:(F)
          WM\Group-A:(RX)

The effective permissions tab of that file shows exactly the same (right) thing:

Effective NTFS permissions

The permissions for the parent folder, users should be able to add files here, look like this:

Artweger WM\Group-A:(I)(OI)(CI)(F)
         WM\Domänen-Admins:(I)(OI)(CI)(F)

If this User logs on (he is just in two groups, Domain-Users and Group-A), he can edit, delete, rename and move the file bild1.jpg. How is this possible? What does NTFS do with my glorious plans?

windows active-directory ntfs file-server icacls

1 Answers

  1. Best Answer

    I have experienced a similar problems two months ago, this thread may be helpful to you.

    I would first check if this happens for all files or only files that are owned by the user (change the owner to see if it still persists), as suggested by Daniel.

    I would then try to set the permissions as described in the other thread, but using the detailed preference pane in Windows (Button Advanced in the lower right corner) and the Sharing tab (I don't know for certain if this is how it's done in Windows Server, in Solaris it is done this way). The basic idea is (quote from the second linked thread):

    The owner is always allowed to change ACLs on her objects. You can prevent this for shared content by using a share which is only allowing "Everyone:Modify" permissions as this will "filter out" any change ACL requests at the share level. If you want to allow your Administrators to change ACLs, just add "Storage Admins:Full Control" to the share permissions.

    • 4