configure NFS in windows server 2016

Admin’s Advice: No to ‘Deny’ Permission

In this article, we will bring you some solutions that can help resolve an incorrect grant of a User’s rights. These solutions may also make an Administrator’s life easier by dealing with the consequences brought about by the misuse of the “Deny” permission.

Take this scenario as an example. The user changed Folder Permissions to Deny everyone. The Administrator then reverted these changes. It may appear that the situation has been fixed but the permissions show that the reverting of the settings is meaningless. Everyone still got the permission to read and write in the aforementioned folder. For an Administrator, the first step for this scenario is to check the perspective of Sharing and Security on a top-level folder. In our scenario, the sharing is set as follows: Domain Users, Administrators, and Domain Admins have read/write permissions; NTFS is set to give full control to System, Domain Users, and Domain Admins. The subfolders, meanwhile, have inheritance disabled since each subfolder has its own set permissions.

As we can see, the system in our imaginary scenario is a mess. But don’t lose hope yet, the situation can still be fixed. In fact, there is more than one solution that can fix the issue.

Before we go deeper into the solutions, the Administrator should keep in mind that ‘Everyone’ applies to all users, whether they are logged in or not. It also applies to those on or off the domain.

Let’s clarify some terms first. Authenticated Users are users that logged in the domain or forest. Domain Users are those that are on the current server’s domain. Make sure to keep this in mind because a ‘Deny’ on any of these may also mean a ‘Deny’ on the Administrator!

SOLUTIONS

Solution 1 – All users can log off then log back in again. This action enforces new NTFS permissions to the folder. If not all Users can log off simultaneously, the new settings can be set to standby until they do.

Solution 2 – Backups can be used to roll out the old settings and revert the permissions to the way they were before. Keep in mind that performing a Backup may take time so it is not recommended to do this during work hours, or if there are Users logged on to the system.

Solution 3 – The Administrator can get some insights into the User Permissions by clicking ‘Advanced’ in the Permissions window and then going to the Effective Access Tab. The Users and their individual access is shown in this tab. Although not an exact solutions, the Administrator can find answers to what permissions are set and being used.

Solution 4 – The easier solution is to crate new folders with the correct permissions applied to it and make these servings apply to the current folder and all the subfolders and files. Once all this is set, everything can then be moved to the folder with the corrected permissions. The Administrator has the option to take full ownership, rewrite permissions, and give full access to Domain Admins. After that, it is possible to decide who can have read/write permissions.

The administrator can give Authenticated Users Read/Write permissions and they can be used to handle access with shared files and folders at the NTFS level. This is a better situation that trying to limit access to sharing at the Share Access Control Layer. Using ’Deny’ permission is always the worst and last solution as it has a broad scope and it denies ‘Everyone’ by default.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *