Uncontrolled permission change on a file ...... Expand / Collapse
Author
Message
Posted 10/27/2011 5:16:24 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/27/2011 4:31:37 AM
Posts: 1, Visits: 0
Hello,
let me try to describe the problem.

Operating system is Windows Server 2008.

There is a folder, named: FOLDER_1, and file, in this folder, named: FILE_1.
There is also an OU, named: OU_1. Members of this OU should have been granted access the folder: FOLDER_1 and file: FILE_1, as follows:
- OU_1 should granted permissions on FOLDER_1: 'MODIFY'.
- One member from OU_1, named: MEMBER_1 (MEMBER_1 has not been granted membership of any Admin group), should granted the 'Modify' permissions on a file: FILE_1
- All other members of OU_1, should granted only 'Read' and 'Read & Execute' permissions on a file: FILE_1.

I have done setting permissions as mentioned above (I'd like to point out that checkbox: 'Include inheritable permissions from this object's parent' are NOT checked, neither for MEMBER_1 nor OU_1).

All assigned permissions are verified in the 'Effective Permissions', for FILE_1, and the result was:

- OU_1 has granted permissions: 'Read' and 'Read & Execute', on FILE_1 ,
- MEMBER_1 has granted permissions: 'Modify', on FILE_1.

Also, 'Owner' for FILE_1 is set to 'Administrator'.

Furthermore, I set 'audit' on a file FILE_1: for group 'Everyone', event: 'Change permission' (Event ID = 4670).

What's happen - when users starts working, after a first file access, an uncontrolled change of assigned permissions for file FILE_1 happened, WITHOUT any record in the security log !?

New permissions are:
- OU_1 get permission 'Modify' on FILE_1 (checkbox 'Include inheritable permissions from this object's parent', is now checked),
- MEMBER_1 is no longer present in the ACL.

Epilogue: all members from OU_1, have granted Modify permissions on FILE_1.

Once again: there are no any log entries about the event with EventID = 4670 (which is 'permission changed').

I'd like to point out that I:

- have checked 'Effective permissions' - given permissions are correct (for ALL members from OU_1, including MEMBER_1),
- There is a change of FILE_1 ACL without any record in the security log.

I have no idea what is causing this event? Have I do something wrong?

Appreciate for any help ...
Post #826
Posted 11/14/2011 8:54:05 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
2 things jump out at me:

1. you can't assign permissions to an OU. OUs are not principals. You can only assign permissions to groups, users and computers.

2. Windows Explorer will do wierd things to ownership and permissions behind your back

Post #849
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:28pm