NTFS File Sharing Windows Server 2008 and Administrators Group?

By cbell1 ·
I know my question really isn't a question.... but I really can't think of another way to ask/post it without it being long and not making any sense.

We have a Windows Server 2008 that we recently migrated to as our main file sharing server. On initial setup, it looks like two of our domain groups were added to the local Administrators group: domain admins and domain users. When we copied the files over and re-setup the permissions, we deleted the local Administrators groups from the root of all drives and parent folders.

However, now when we create a new folder in a drive, the local Administrators group is added to the security and says that is inherited from the root of the drive. How can that be? As you can see, this is an issue since the domain users is apart of the Administrators group, they can see these folders even though they shouldn't be able to.

We have our server 2003's set up this way and we have had not ran into this issue. What's different about the file sharing with server 2008 that we aren't seeing? Where is the local Administrators group root access and how can you disable it?

I appreciate any feedback.. I've been looking into this for weeks now and anything I find doesn't work or exactly fit the issue we are running into.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

My question is...

by cmiller5400 In reply to NTFS File Sharing Windows ...

Why is the "domain users" group part of the local admin group? Solve that issue and your issue goes away... For a file server, there should be no reason for the domain users group to be in the local admin group. That gives them total control over the server. Don't know if you are aware but even if you take the local admin groups rights away from a folder, that doesn't prevent them from changing the permissions on that folder to gain access again. Local Administrators have the rights to take ownership of a file/folder and reassign security*.

*: Be VERY careful with deny permissions as they take precedence over all others. you can quickly back yourself into a corner easily...

Related Discussions

Related Forums