Share via

Permissions problem

Hram Admin 230 Reputation points
2025-08-27T11:14:20.5433333+00:00

Hello,

Consider the following test:

  1. On Server1 I create a test folder C:\TEST with two subfolders - REPORTS and storage
  2. Share C:\TEST using Advanced Sharing for the single local account (Task) - full controll
    01
  3. Do NOT add Task account on the NTFS permissions tab:
    02
  • as a result both subfolders - REPORTS and storage inherit permissions from C:\TESTC WITHOUT permissions for Task account.
  1. I map the J: to the C:\TASKC under Task account (I can do it because share permission = FC) and try to copy some folder to C:\TASKC\storage (J:\storage) and write the log to C:\TASKC\REPORTS (J:\REPORTS)
    04

Since the Task account does NOT have any write permissions to C:\TESTC (it's neither a member of the Administrators local group nor has been purposely applied write permission on the NTFS tab - it has only read permissions due to its membership in the Users group ) the copy operation should fail in 1) copying to J:\storage in 2) writing the log to J:\REPORTS.

  1. The result: copy operation fails with the Access Denied error as expected but the log is successfully created UNDER the local Task account (I enabled File Access audit and checked it) in the folder that does NOT HAVE WRITE PERMISSION for the Task account:
    Result.1

???!!!

Regards,
Michael

Windows for business | Windows Server | Devices and deployment | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domic Vo 1,015 Reputation points Independent Advisor
    2025-08-27T12:06:11.5033333+00:00

    Dear Hram Admin,

    Based on your description, you've created a folder structure at C:\TEST with subfolders REPORTS and storage, and shared the root folder using Advanced Sharing for the local account “Task” with full control. To ensure consistent access, please verify the following:

    NTFS Permissions: In addition to share permissions, confirm that the “Task” account has full control at the NTFS level for C:\TEST and its subfolders. Share permissions alone do not override file system restrictions.

    Local Account Usage: If “Task” is a local account on Server1, ensure that any access attempts are made from the same machine or that the account is properly mapped if accessing remotely.

    Network Discovery and File Sharing Settings: Confirm that Server1 has network discovery and file sharing enabled, especially if testing from another device.

    Firewall Rules: Ensure that the appropriate inbound rules for File and Printer Sharing (SMB-In) are enabled to allow access.

    I hope this helps. Just kindly tick Accept Answer that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Best regards,

    Domic Vo

    0 comments
  2. Hram Admin 230 Reputation points
    2025-08-28T09:05:44.7466667+00:00

    Hi Domic Vo,

    Thank you for the reply!

    But the problem is NOT in the absence of permissions for the Task account, the problem is that the Task account is succeeding in writing to the folder (REPORTS) to which it does NOT have write permissions!

    Once again: local Task account does NOT have Write permission to any folders, including C:\TESTC\REPORTS:
    11

    It has only Read and Execute as a member of the local USERS group as depicted above.

    Can anyone tell me how come Task account is able to create the log in C:\TESTC\REPORTS?

    0 comments
  3. Hram Admin 230 Reputation points
    2025-08-28T09:39:39.4566667+00:00

    Here's one more test:

    12-02

    12

    13Event2

    ...Access = WriteData (or AddFile) to the folder with only Read and Execute permission ...

    Any comments?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.