Jump to content

Home Directory Permissions problem - shocking discovery!

Guest thegrotto@gmail.com

By Guest thegrotto@gmail.com
in Windows 2003 Server

 Share

Recommended Posts

Guest thegrotto@gmail.com

Guest thegrotto@gmail.com

Posted
Posted

I got a call from a client today claiming that a staff member could

see everything in another staff member's home directory. I calmly

pointed out that they could problably actually only see the home

directory itself, but nothing in it, since only the owner and Domain

Admins have permissions on home directories. However, I remoted in,

logged in as the staff member in question, and BINGO! I can see

ANYONE's home directory, and open files in it... In fact, this staff

member has full control over every other staff member's home

directory.

 

I don't know how this can be. The staff memeber's account is only a

member of the Domain Users security group, and that group is certainly

not in the ACLs of ther other users' home directories!!!

 

This is potentially disasterous, please help!

 

Thanks,

 

arthur

  • Replies 1
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Pegasus \(MVP\)

Guest Pegasus \(MVP\)

Posted
Posted

Re: Home Directory Permissions problem - shocking discovery!

 

 

<thegrotto@gmail.com> wrote in message

news:4132457c-6a72-44e3-b4a4-176053609758@e6g2000prf.googlegroups.com...

>I got a call from a client today claiming that a staff member could

> see everything in another staff member's home directory. I calmly

> pointed out that they could problably actually only see the home

> directory itself, but nothing in it, since only the owner and Domain

> Admins have permissions on home directories. However, I remoted in,

> logged in as the staff member in question, and BINGO! I can see

> ANYONE's home directory, and open files in it... In fact, this staff

> member has full control over every other staff member's home

> directory.

>

> I don't know how this can be. The staff memeber's account is only a

> member of the Domain Users security group, and that group is certainly

> not in the ACLs of ther other users' home directories!!!

>

> This is potentially disasterous, please help!

>

> Thanks,

>

> arthur

 

You need to do the usual investigative stuff on the server:

- Open a Command Prompt

- Type the following commands:

cacls "d:\User Files\xxx" > c:\perms.txt

cacls "d:\User Files\xxx\Some File.ext" >> c:\perms.txt

net user yyy /domain >> c:\perms.txt

notepad c:\perms.txt

 

"yyy" is the account of the all-powerful user.

"xxx" is the account of some other user.

I assume that some groups have full access to xxx's folders.

Is yyy a member of any of these groups? Is his unauthorised

access revoked if he is kicked out of all groups other than

the "Domain Users" group?

 Share
Go to topic listing
×
×
  • Create New...