1

We created a share named "Shares" for the E:\ folder on a Windows Server 2016 domain member.

Sharing permissions: Everyone:Full-Control.

NTFS permissions - Left the default permissions for SYSTEM, CREATOR OWNER, Administrators, and Domain Admins.

The share has two folders:

share1 - NTFS permissions added: [email protected] (full control)

share2 - NTFS permissions added: [email protected] (full control).

user1 and user2 are regular user accounts.

I expect user1 can view, edit, modify everything in share1, but not view or list the items in share2. And equivalent for user2.

However, user1 and user2 can view and all folders and files in share1 and share2, even though they have not been granted permissions.

I noticed the default permissions for the hard drive E: itself include entries for the local Users group:

servername\Users

That group has read/write and list permissions for the root folder and all subfolders including share1 and share2.

When I change the permissions of these local Users group to "this folder only", then the permissions are no longer inherited on all subfolders.

How does the local Users group grant permissions to domain user accounts?

It is as if the domain users are "mapped" to the local group servername\Users.

Does this make sense?

Or is there another explanation?

Improve this question
4
  • Please post the effective right of share1 and share2. There is something not set correctly Commented Jun 2, 2022 at 18:50
  • 1
    The local Users group contains the Authenticated Users identity by default I believe. You have to validate your share/folder permissions when configured. Also there are some rather open folder permissions on the root of drives unless changed. It sounds like no-one bothered checking this until now. Commented Jun 2, 2022 at 19:37
  • @yagmoth555: The effective permissions on the share show exactly the same as what I describe - user1 can read/write both shares, same for user2. My point is that by ONLY removing the LOCAL user group "Users" those permissions work as I would expect - so the Read/Write privilege for domain users is factually inherited from the Local\Users group - which makes no sense to me. Commented Jun 7, 2022 at 11:41
  • @GregAskew: thanks - this pointed me in the right direction. Commented Jun 7, 2022 at 11:44

1 Answer 1

Reset to default
0

Found the answer.

Factually, BY DEFAULT in Windows 10, the group "MyDomain\Domain Users" gets added to the Local Users group automatically, as soon as the computer joins a domain.

This is a tripwire of magnitude - local users are, security-wise, a completely different thing than domain users.

Why Microsoft made the decision to identify the two is not comprehensible.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.