Uncontrolled Permission Change (Without Any Record In Security Log)

[nikitaGradov]

Hello,

let me try to describe the problem (this is my first question on this forum).

 

Operating system is Windows Server 2008.

 

There is a folder, on domain controller drive, named: FOLDER_1, and file, in this folder, named: FILE_1.

There is also OU, named: OU_1.

Members of this OU should have been granted access the folder: FOLDER_1 and file: FILE_1, as follows:

- OU_1 should granted permissions on FOLDER_1: 'MODIFY'.

- One member from OU_1, named: MEMBER_1 (MEMBER_1 has not been granted membership of any Admin group), should granted the 'Modify' permissions on a file: FILE_1

- All other members of OU_1, should granted only 'Read' and 'Read & Execute' permissions on a file: FILE_1.

 

I have done setting permissions as mentioned above (I'd like to point out that checkbox: 'Include inheritable permissions from this object's parent' are NOT checked, neither for MEMBER_1 nor OU_1).

 

All assigned permissions are verified in the 'Effective Permissions', for FILE_1, and the result was:

 

- OU_1 has granted permissions: 'Read' and 'Read & Execute', on FILE_1 ,

- MEMBER_1 has granted permissions: 'Modify', on FILE_1.

 

Also, 'Owner' for FILE_1 is set to 'Administrator'.

 

Furthermore, I set 'audit' on a file FILE_1: for group 'Everyone', event: 'Change permission' (Event ID = 4670).

 

What's happen - when users starts working, after a first access on FILE_1 (it's an .XLS file), an uncontrolled change of assigned permissions for file FILE_1 happened, WITHOUT any record in the security log !?

 

New permissions (in ACL for FILE_1) are:

- OU_1 get permission 'Modify' on FILE_1 (checkbox 'Include inheritable permissions from this object's parent', is now checked),

- MEMBER_1 is no longer present in the ACL.

 

Epilogue: all members from OU_1, have granted Modify permissions on FILE_1.

 

Once again: there are no any log entries about the event with EventID = 4670 (which is 'permission changed').

 

I'd like to point out that I:

 

- have checked 'Effective permissions' - given permissions are correct (for ALL members from OU_1, including MEMBER_1),

- There is a (uncontrolled) change of FILE_1 ACL without any record in the security log.

 

I have no idea what is causing such a behaviour? Have I do something wrong?

 

Appreciate for any help ...

[ICTCity]

First: be sure you have a enabled the AUDIT on your policies:

http://technet.microsoft.com/en-us/library/dd277403.aspx

 

Try again if you still not have any entry on Event Viewer post again.

 

I have an idea but I'm not sure... so first let me know about this.

[nikitaGradov]

I wasn't clear, when I wrote: 'WITHOUT any record in the security log !?' It means 'without any record with EventID=4670 (Change permission)'. There are all other logs (login, logoff, special login, etc). Sorry for uncertainty.

Yes, I have enabled AUDIT in 'Group policy management' and for file, both.

 

My point was: 'change permission' for one file occured, but without record related with EventID=4670.

 

I hope it's clear now ...

[ICTCity]

I heard years ago from a person which wasn't a Microsoft's employee, that if the owner does not have full permission, then when another user opens the file, permissions are modified. But once the file is closed everything rolls back. I'm not sure about this...

[nikitaGradov]

I set owner = 'Administrator'.

When ACL has changed, and owner changed, too.

 

I have started reading about AdminSdHolder - but I couldn't find relation with 'my' problem (I have one OU, one security group inside this OU, and users in that group. Neither 'security group, nor users (from that group) are members from any 'protected' groups (I mean protected by AdminSDHolder). Users are members of 'Domain users' and grupu is member of OU.

 

This problem is 'over my capabilities' - i give up ...

 

Thanks for reply ...