I’m having trouble coming up with new permissions settings to an existing file server share (Win Server 2008 R2). Let’s call it \\SVRA\ShareA. I’m trying to deny access to this share (in testing I'm using a directory just underneath this) from guest accounts. I created a new Global Security Group for guest users called GUEST_LOCKDOWN hoping I could use that to restrict access.
Unfortunately, the way this file server is setup, \\SVRA\ShareA has read and execute permissions for any Domain User. In fact, when I look at the ‘SVRA - User group’ which contains the Domain Users group, it also contains NT AUTHORITY\Authenticated Users and NT AUTHORITY\INTERACTIVE users. So it seems to me as soon as any account is authenticated to the Domain, it has read/execute access to this share. This share has inheritance on by default to the folders underneath. Inheritance is broken on certain folders underneath where access has been restricted.
FYI – I don’t have Group Policy set up yet, so I’m trying to do this with security permissions.
I don’t really want to apply explicit deny permissions to the share using the GUEST_LOCKDOWN group because of the ~3 million files on the server. So I thought I could deny the share using the share permissions (most restrictive wins, right?). I took a test directory underneath ShareA and removed the share permissions for Everyone. Then I added back Change/Read share permissions for Domain Users. Then I added an explicit deny on the \\SVRA\ShareA\test folder for the GUEST_LOCKDOWN group. But userA (in the Domain Guest and GUEST_LOCKDOWN groups) can still happily read the test directory under ShareA. Is Domain Guest somehow considered part of Domain Users?
I thought the most restrictive settings would apply and the explicit DENY on the share permissions would prevent userA from accessing that directory. If I remove the ‘Domain Users’ group from the test folder’s shares permission such that only the GUEST_LOCKDOWN with explicit DENY is on that folder, I can still access that folder. It seems like the NTFS permissions settings are overriding the Share permissions in this instance and not using the ‘most restrictive’. If I go in and remove the NTFS permissions for the 'SVRA - Users' Group, then I can't access the folder.
I tried setting userA’s Primary Group to the GUEST_LOCKDOWN group but then I can’t even log into the domain.
I can usually figure permissions out, but I’m struggling with this one and I’d rather not make wholesale changes to ShareA until I have a chance to test everything. I was looking for a quick solution that would basically leave everything as is but just restrict this one new group from accessing the share.
Any help would be greatly appreciated. Thanks.