I also found that when adding permissions to shares on my ReadyNAS using Windows File Explorer, it was automatically adding Domain Users with full control to the subfolders and file within the share. Removing the permission and/or disabling inheritance doesn't work as it is automatically reapplied. This is, as the closed topic states, because the Linux OS of the ReadyNAS is applying the permission based on my domain user account's primary group (which is Domain Users).
The solution is to apply permissions on the share in Windows File Explorer using the ReadyNAS admin account. So i logged into a domain computer using a local account, accessed the share, entered NasName\admin as the user when prompted for credentials, and then applied domain user/group permissions from there.
That resolved the issue for me. I hope this post helps anyone with this issue in the future.
Re: Solved - ReadyNAS 4312X OS6 - AD group "Domain users" automatically has full control o
Hi. I'm replying to this as it seems this is still a problem. To summarise the problem, when users create files and folders on this ReadyNAS RR4312X, their domain account as well as 'Domain Users' get full control of the file(s)/folder(s). This means that they have a level of access to the data that they shouldn't have. Here's what i do to create the share:
On the admin web page i click Shares and then New Share.
I give it a name and click Create.
I click on the cog next to Permissions and then Settings.
Under the Network Access tab (which only has SMB enabled by the way) i untick "Allow anonymous access" and click Apply. Note that by default Everyone has the Read/Write check box ticked here, which i leave as is.
Under the File Access tab i untick the Read Only box next to Everyone and click Apply, so it looks like this:
Next i login to a Windows PC on the domain but with a local admin account on that machine.
I then open File Explorer and browse to the share via \\nasbox\share. When prompted for credentials i use 'nasbox\admin' as the user.
The permissions on the share are:
Everyone - nothing ticked
Creator Owner - Special permissions (greyed)
Creator Group - Special permissions (greyed)
admin (nasbox\admin) - Full control (not greyed)
ReadyNAS Admins (nasbox\ReadyNAS Admins) - Full control (not greyed)
I click Edit then Add. I'm prompted for a username to access our domain, so type in my domain username.
I give a domain group access to the share.
Now, if a member of that group creates a file in the share, the permissions are as above but that user and Domain Users are also automatically added with Full Control (greyed out).
Please note that i have next to no experience with NAS boxes. The firmware is up to date (6.9.3). I have tried a factory reset. I have tried disabling inheritance on the share, and even subfolders within the share, but Full Control for the user and Domain Users still seems to get automatically applied. I have tried unticking the Read/Write box for Everyone on the Network Access tab on the admin page, but that removes all access to the share. Similarly, i have tried unticking the Read/Write box for Folder Owner and Folder Group on the File Access tab on the admin page, but that also removes all access.
This is causing a problem because for some shares, certain groups should have read only access. Once data is added to the share, they have full access because Domain Users is being given Full Control.
What am i doing wrong? Any advice would be greatly appreciated. Thanks in advance.
Model: RR4312X| ReadyNAS 10GbE 12 Bays with up to 120TB total storage
Re: Solved - ReadyNAS 4312X OS6 - AD group "Domain users" automatically has full control o
I managed to solve this myself. In case anyone comes across this issue, i followed the steps as per my original post above. At step 5, i unticked all the boxes (so no users/groups listed have either read or read/write access. At step 8, i remove all the permissions on the share via Windows (every single one). Then follow the remaining steps to give the users/groups access as required. This seems to resolve the issue of Domain Users getting full control of the files and folders inside the share. Hopefully this helps someone.
