Sign in with
Sign up | Sign in
Your question

Everyone take ownership

Last response: in Windows 2000/NT
Share
Anonymous
June 13, 2005 10:57:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,
we have a network share. I change its permissions so only GROUPA and
GROUPB have Full Control, no other entries. However, someone who is not
in GROUPA or GROUPB can claim Ownership of the folder. He does not have
read access or anything like I want it, but taking ownership nulls and
voids everything.

What is causing this? Windows Default for everyone is "Take Ownership"??

Regards,
Antti H

More about : ownership

Anonymous
June 13, 2005 11:43:16 AM

Archived from groups: microsoft.public.win2000.security (More info?)

AnttiH wrote:
> Hi,
> we have a network share. I change its permissions so only GROUPA and
> GROUPB have Full Control, no other entries. However, someone who is not
> in GROUPA or GROUPB can claim Ownership of the folder. He does not have
> read access or anything like I want it, but taking ownership nulls and
> voids everything.
>
> What is causing this? Windows Default for everyone is "Take Ownership"??
>
> Regards,
> Antti H
Looks like the permission is inherited from the parent folder. Very odd.

Is it not possible to define a folder on a drive that only certain
people can access, no matter who owns the parent?

Antti H
Anonymous
June 13, 2005 11:43:17 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In your initial posting you spoke of share permissions, which
are found with the Permission button on the Sharing tab in the
properties of a folder. It is now apparent that you are speaking
of the NTFS permissions of the folder.

Yes, defining a folder to have just a specific, intended set
of NTFS permissions is possible. Uncheck the box in the
NTFS Security dialog that indicates the folder is allowed
to inherit from its parent folder. Also, use the Advanced
tab to see whether there are any grants or denies that are
special and being masked from view in the generic permission
view of the settings.

--
Roger Abell
Microsoft MVP (Windows Security)

"AnttiH" <gumfire@despammed.com> wrote in message
news:o Oare.48$Ak.30@read3.inet.fi...
> AnttiH wrote:
> > Hi,
> > we have a network share. I change its permissions so only GROUPA and
> > GROUPB have Full Control, no other entries. However, someone who is not
> > in GROUPA or GROUPB can claim Ownership of the folder. He does not have
> > read access or anything like I want it, but taking ownership nulls and
> > voids everything.
> >
> > What is causing this? Windows Default for everyone is "Take Ownership"??
> >
> > Regards,
> > Antti H
> Looks like the permission is inherited from the parent folder. Very odd.
>
> Is it not possible to define a folder on a drive that only certain
> people can access, no matter who owns the parent?
>
> Antti H
Related resources
Anonymous
June 14, 2005 3:08:46 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In a machine's default, as installed, condition any member of
the Administrators group can take ownership of anything in
the NTFS filesystem.
If the accounts taking ownership are not logging into the
machine that is source of the share as admins, then the info
in the other posting I have just made applies.

--
Roger Abell
Microsoft MVP (Windows Security)

"AnttiH" <gumfire@despammed.com> wrote in message
news:o Oare.48$Ak.30@read3.inet.fi...
> AnttiH wrote:
> > Hi,
> > we have a network share. I change its permissions so only GROUPA and
> > GROUPB have Full Control, no other entries. However, someone who is not
> > in GROUPA or GROUPB can claim Ownership of the folder. He does not have
> > read access or anything like I want it, but taking ownership nulls and
> > voids everything.
> >
> > What is causing this? Windows Default for everyone is "Take Ownership"??
> >
> > Regards,
> > Antti H
> Looks like the permission is inherited from the parent folder. Very odd.
>
> Is it not possible to define a folder on a drive that only certain
> people can access, no matter who owns the parent?
>
> Antti H
Anonymous
June 14, 2005 9:01:17 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger Abell wrote:
> In your initial posting you spoke of share permissions, which
> are found with the Permission button on the Sharing tab in the
> properties of a folder. It is now apparent that you are speaking
> of the NTFS permissions of the folder.
>
> Yes, defining a folder to have just a specific, intended set
> of NTFS permissions is possible. Uncheck the box in the
> NTFS Security dialog that indicates the folder is allowed
> to inherit from its parent folder. Also, use the Advanced
> tab to see whether there are any grants or denies that are
> special and being masked from view in the generic permission
> view of the settings.
>

Thanks for your response.
The folder in question is shared over network, but apparently NTFS
permissions are affecting it. It is shared from W2000 Server. I have no
further detail of this, I can click properties for the folder then
security tab and there.

There are no Advanced permissions besides the ones that I have set in
the "generic" permissions page.
What does the last "Effective Permissions" mean? When I select a group
from our AD with the select.. button they have NO "Effective
Permissions", but when I select a certain user, he has all permissions,
even though he is NOT listed on any of the permissions tabs?

This person used to be in a group which had permission into the folder,
can this be cached somehow?

Cheers,

AnttiH
Anonymous
June 14, 2005 9:01:18 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The share permissions are viewed/set when using an admin
interface on the machine that is sharing-out (or with a remote
tool allowing the same).

After the drive is mapped one sees the NTFS permissions as
these have been set on the actual storage.

An account will have access to the extent NTFS permissions
are granted (and not denied) directly to the account and/or to
any group in which the account is a member, but when the
access is over the network the account will have these only
to the extent that they do not exceed the share level permissons
granted and not denied to the account. The share level permissions
will never increase permissions beyond what is within the NTFS
permissions, they will only allow all the NTFS grants less denies
or the share level permissions might reduce these.

The effective permissions tab will show what access would
be allowed to a principal due to the existing grants and denies
but, as the description states, this only considers direct group
memberships - so long chains of group nesting and share level
permissions imposed on a then current mapping are not taken
into account.

If the permissions are inherited from the parent folder, and
you have access only to the share as a mapped drive then
there is no real way for you to affect what is being inherited.

As you have said that only GroupA and GroupB have any
grants to them, and there are no other grants showing only
in the Advanced view, then we have something of a mystery.

Can you open a cmd prompt and issue
cacls X: > c:\perms.txt
where X: is the letter to which the share has been mapped
and c:\perms.txt is any file to which you want the output
redirected. The content of this file will have all NTFS
setting in effect on the mapped folder.

In order to Take ownership and account would need to
either be in GroupA or GroupB (which have grants of Full)
based on what you have said, that there are no other grants.
Posting here the results stored into that c:\perms.txt file
would help us verify that this is so.

--
Roger Abell
Microsoft MVP (Windows Security)

"AnttiH" <gumfire@despammed.com> wrote in message
news:xwtre.10$Hp3.8@read3.inet.fi...
> Roger Abell wrote:
> > In your initial posting you spoke of share permissions, which
> > are found with the Permission button on the Sharing tab in the
> > properties of a folder. It is now apparent that you are speaking
> > of the NTFS permissions of the folder.
> >
> > Yes, defining a folder to have just a specific, intended set
> > of NTFS permissions is possible. Uncheck the box in the
> > NTFS Security dialog that indicates the folder is allowed
> > to inherit from its parent folder. Also, use the Advanced
> > tab to see whether there are any grants or denies that are
> > special and being masked from view in the generic permission
> > view of the settings.
> >
>
> Thanks for your response.
> The folder in question is shared over network, but apparently NTFS
> permissions are affecting it. It is shared from W2000 Server. I have no
> further detail of this, I can click properties for the folder then
> security tab and there.
>
> There are no Advanced permissions besides the ones that I have set in
> the "generic" permissions page.
> What does the last "Effective Permissions" mean? When I select a group
> from our AD with the select.. button they have NO "Effective
> Permissions", but when I select a certain user, he has all permissions,
> even though he is NOT listed on any of the permissions tabs?
>
> This person used to be in a group which had permission into the folder,
> can this be cached somehow?
>
> Cheers,
>
> AnttiH
Anonymous
June 14, 2005 9:02:22 AM

Archived from groups: microsoft.public.win2000.security (More info?)

AnttiH wrote:
> It is shared from W2000 Server. I have no
> further detail of this, I can click properties for the folder then
> security tab and there.

To clarify, the folder is on a mapped drive.

AnttiH
Anonymous
June 14, 2005 4:51:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger Abell wrote:

> Can you open a cmd prompt and issue
> cacls X: > c:\perms.txt
> where X: is the letter to which the share has been mapped
> and c:\perms.txt is any file to which you want the output
> redirected. The content of this file will have all NTFS
> setting in effect on the mapped folder.
>
> In order to Take ownership and account would need to
> either be in GroupA or GroupB (which have grants of Full)
> based on what you have said, that there are no other grants.
> Posting here the results stored into that c:\perms.txt file
> would help us verify that this is so.
>

Hi.


This is cacls H:\FOLDER, which is the folder we want to make secure.
H:\FOLDER BUILTIN\Administrators:( OI)(CI)F
domain\groupA:( OI)(CI)F
domain\groupB:( OI)(CI)F

The person who "has permission to take ownership" is NOT in any of these
groups. Not inherited or anything. The person however has Full Control
on the H:\ -drive.

Hope this helps,
AnttiH
Anonymous
June 14, 2005 4:51:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Looks OK. The person you mention (meaning one of the accounts that
they can use, that shows up as owner) is not a member of Administrators
group on the machine where H: is native (shared-from) ?
You are sure that they are changing an object that pre-existed with
different settings (as compared to looking at a newly created object) ?
Finally, you know that they are not in a group that is in any of the
three named groups? and that they do not have the power to add
themselves (temporarily) to one?
Otherwise, from all you have said they should not be able to do
what you have been reporting.

--
Roger Abell
Microsoft MVP (Windows Security)

"AnttiH" <gumfire@despammed.com> wrote in message
news:3pAre.172$Hp3.92@read3.inet.fi...
> Roger Abell wrote:
>
> > Can you open a cmd prompt and issue
> > cacls X: > c:\perms.txt
> > where X: is the letter to which the share has been mapped
> > and c:\perms.txt is any file to which you want the output
> > redirected. The content of this file will have all NTFS
> > setting in effect on the mapped folder.
> >
> > In order to Take ownership and account would need to
> > either be in GroupA or GroupB (which have grants of Full)
> > based on what you have said, that there are no other grants.
> > Posting here the results stored into that c:\perms.txt file
> > would help us verify that this is so.
> >
>
> Hi.
>
>
> This is cacls H:\FOLDER, which is the folder we want to make secure.
> H:\FOLDER BUILTIN\Administrators:( OI)(CI)F
> domain\groupA:( OI)(CI)F
> domain\groupB:( OI)(CI)F
>
> The person who "has permission to take ownership" is NOT in any of these
> groups. Not inherited or anything. The person however has Full Control
> on the H:\ -drive.
>
> Hope this helps,
> AnttiH
Anonymous
June 14, 2005 4:51:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

AnttiH,

Just for completeness, please verify that on the involved machines
the security policy setting in the User Right section of the Computer
Security policy section the User Right to Take Ownership of objects
is still set at the default of only naming Administrators group.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"AnttiH" <gumfire@despammed.com> wrote in message
news:3pAre.172$Hp3.92@read3.inet.fi...
> Roger Abell wrote:
>
> > Can you open a cmd prompt and issue
> > cacls X: > c:\perms.txt
> > where X: is the letter to which the share has been mapped
> > and c:\perms.txt is any file to which you want the output
> > redirected. The content of this file will have all NTFS
> > setting in effect on the mapped folder.
> >
> > In order to Take ownership and account would need to
> > either be in GroupA or GroupB (which have grants of Full)
> > based on what you have said, that there are no other grants.
> > Posting here the results stored into that c:\perms.txt file
> > would help us verify that this is so.
> >
>
> Hi.
>
>
> This is cacls H:\FOLDER, which is the folder we want to make secure.
> H:\FOLDER BUILTIN\Administrators:( OI)(CI)F
> domain\groupA:( OI)(CI)F
> domain\groupB:( OI)(CI)F
>
> The person who "has permission to take ownership" is NOT in any of these
> groups. Not inherited or anything. The person however has Full Control
> on the H:\ -drive.
>
> Hope this helps,
> AnttiH
!