-3
  1. I need to set permissions to a folder for two people.
  2. I am not an administrator on the server but I have access to grant and remove permissions to folders.
  3. Not even the Server Admin should have access to that folder except for those two users.
  4. The following users are default on the folder or at least are there when I check permissions in that folder the same as other folders:
    • Authenticated Users
    • SYSTEM
    • Administrators(hostname\Administrators)
    • Users(hostname\Users)
    • myusername(domain\myusername)

I need to set permissions for users not listed above and only them should have access to the folder, however, will it be safe to remove the users listed above without causing implications when creating backups or granting and removing permissions in the future?

optionalNickname
  • 1
  • 3

2 Answers2

3

I am not an administrator on the server but I have access to grant and remove permissions to folders.

This was a bad setup on the admins part. Non-admins should not have FULL CONTROL on folders and files.

Not even the Server Admin should have access to that folder except for those two users

This is not possible. If the admin has administrative rights to the server (the very definition of an admin) then they can easily grant themselves rights again to that folder.

All that said, you can add the 2 accounts with FULL CONTROL (because you said you wanted them to be able to add/remove permissions in the future) and can technically remove everything including SYSTEM. It won't hurt to leave SYSTEM but it also isn't REQUIRED to stay.

Backups should be done using an account in the Backup Operators group which technically doesn't need rights to the folder as it can bypass security during backups. Some backup programs require the account it is run under to be an admin or even Domain Admin though. But as long as the account the backups run under is a part of the Backup Operators then it should run fine.

However, I still stand by the fact that if another account has administrative rights on that server they will be able to take ownership and apply new permissions including granting themselves access. If this folder truly needs to be "secure" you'll have to look beyond NTFS permissions to secure it.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
0

  • First and foremost, ensure that domain\myusername has full controll of the folder and its contents.

  • You are safe to remove Administrators(hostname\Administrators) and Users(hostname\Users) so long as there are no local user accounts in these groups that require access to that folder (These may be necessary for services or applications, such as backup software or databases). If such user accounts exist, then you should assign explicit permissions for these users before removing the group permissions from the folder.

  • Do not remove permissions for SYSTEM.

blacklight
  • 1,369
  • 1
  • 10
  • 19
  • Why not remove `SYSTEM`? If it's not a directory that you want the `SYSTEM` user to have access to, it will not break anything. – MDMarra Oct 08 '13 at 00:54
  • @MDMarra Simply because there's no real 'need' to remove it in order to achieve what OP is trying to do. Sure he could remove it if he wants, but it won't hurt if it stays. – blacklight Oct 08 '13 at 03:01
  • If administrator shouldn't have rights, then system should be removed. It's trivial for an admin to get a session as system. – MDMarra Oct 08 '13 at 14:05