NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

sakmanga's avatar
sakmanga
Aspirant
Jun 16, 2017

ReadyNAS 2120 OS6 - AD group "Domain users" automatically has full control granted on subfolders

Hi all, I have a ReadyNas 2120 v2 OS 6.7.4 working in an active directory. I created shared folders following the instruction in: https://kb.netgear.com/7066/ReadyNAS-OS-6-Setting-Active-Directory-...
active directory
File Sharing
Other Discussions
ReadyNAS
shred folders
JennC's avatar
JennC
NETGEAR Employee Retired
Jun 19, 2017

Hello sakmanga,

 

You need to set permission on the subfolders too. The permission on the shares and subfolders are handled by the AD when the NAS is joined to the AD.

 

Welcome to the community!

 

Regards,

Hopchen's avatar
Hopchen
Prodigy
Jun 19, 2017

Hi, 

 

When you create a new folder, that folder will inherit permissions from its parent folder. This is pretty standard, so if your share has full control (R/W) for Domain Users then your subfolder well as well. You want it be this way generally else you would have to set new perms on all new folders/files manually :)

 

If you don't want a given subfolder to inherit permissions, then just disable inheritance from the Windows side. 

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/acl_inherit_permissions.mspx?mfr=true

 

Cheers

  • sakmanga's avatar
    sakmanga
    Aspirant
    Jun 20, 2017

    Hi Hopchen, thanks for your replay.

    Unfotunatelly the inheritance is not respected as I explained in my post to JennC.

     

    Have a nice day.

    • Hopchen's avatar
      Hopchen
      Prodigy
      Jun 20, 2017

      Hi,

       

      You need to remember that permissions on a newly created folder will be as follows:

       

      The inherited permissions (from the parent folder)

      and

      Permissions that the user (who creates the folder) sets. Your user in AD/Windows have defult permissions that this user will add to every object it creates. Typically it will add itself as owner and add all its group memberships as well.

       

      So, if your AD user is member of "Domain Users" for example, then the user will add the the "Doman Users" group to new object the user creates. This is probably what is happening to you?

       

      Can you check (in AD) if the user you are testing with, is that user member of "Domain Users" (along with other groups perhpaps)?

       

       

      Thanks

      • sakmanga's avatar
        sakmanga
        Aspirant
        Jun 21, 2017

        Hi Hopcen, thank you very much for your replay.

         

        "Domain users" is the default primary group in an AD domain and all the users belongs to it.

        A user can't be removed unless we establish another primary group.

        Each of users belongs to many groups, but only "Domain users" is added automatically and this doesn't make sense to me.

         

        I understand the user that create a folder is added but why the primary group?

        Let say the user grants to a specific group of users, RO access on a folder. When he create a subfolder these users will have full control on it by default!

         

        I have others shared folder both on QNAP NAS and Windows servers but only with this device I have the problem and staring from a recent OS update.

        I remain of the idea that this is a serious security bug

         

        Any other idea?

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More