Local Users Interfere in Domain User File Sharing

nepdev

10/2/23, 6:39 PM

Made a file share "Shares" on a folder directly under a hard drive (let's call it E:) in a Windows Server 2016 box. Server is part of the domain "domain.com".

Sharing permissions - Everyone:Full-Control.
NTFS permissions - Left the default permissions
(Meaning it has entries for SYSTEM, CREATOR OWNER, Administrators. I added domain admins too, which should be irrelevant for what follows.)

2 sub-folders of that share, share1 - NTFS permissions added: [email protected] (full control) share2 - NTFS permissions added: [email protected] (full control).

user1 and user2 are unprivileged users.

What I would expect in that setup is that user1 can view, edit, modify everything in share1, but he cannot view or even list the items in share2, much less edit them. And equivalent for user2.

However, what DOES happen is that both user1 and user2 can view and read every single folder and file in both share1 and share2. They cannot modify files, but they can read them. Yet I have not ever set any permission for them to do so. I do not want them to read files or even be able to enumerate them. If I run the "Effective Access" from the Advanced tab in the Security window, this gives exactly the same picture. It forbids modification but not Read.

What I noticed is that the default permissions for the hard drive E: itself include entries for LOCAL users:

servername\Users

And they have read/write and list etc permissions. And they inherit to every subfolder including share1 and share2

When I change the permissions of these local users directly on the hard drive to "this folder only", then the permissions are no longer inherited on all subfolders.

AND THEN THE SHARING BEHAVES AS I WOULD HAVE EXPECTED IT:

User1 can view/edit files in share1 but cannot see share2.
User2 can view/edit files in share2 but cannot see share1.

So after this lengthy introduction, here is my question:

How come that LOCAL user account somehow interfere with the permissions of specifically named domain users?

It is as if the domain users get "mapped" to the local user group "servername\Users", but does this make any sense? Or is there something else going on here?

0 + 0

network-share

windows-server-2016

yagmoth555

10/2/23, 6:50 PM

Please post the effective right of share1 and share2. There is something not set correctly

Greg Askew

10/2/23, 7:37 PM

The local Users group contains the Authenticated Users identity by default I believe. You have to validate your share/folder permissions when configured. Also there are some rather open folder permissions on the root of drives unless changed. It sounds like no-one bothered checking this until now.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Local Users Interfere in Domain User File Sharing

TH: ผู้ใช้ภายในรบกวนการแชร์ไฟล์ของผู้ใช้โดเมน

RO: Utilizatorii locali intervin în partajarea fișierelor utilizatorilor de domeniu

RU: Локальные пользователи вмешиваются в общий доступ к файлам пользователей домена

VI: Người dùng cục bộ can thiệp vào chia sẻ tệp người dùng miền

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.