Hello,
I have a security problem with an account that has access to data which is normally protected (NTFS).
This account is not member of any group that has access to this data, but it can create view and edit it !
During the investigation I have seen that this account returns us two SID with this command :
wmic useraccount where name='%username%' get sid
First SID is the SID for the user (visible on the AD)
I searched in my AD for the second SID and it seems member of CN=XXXX,CN=ForeignSecurityPrincipals,DC=DOMAIN,DC=NET (XXXX is the SID).
It's not normal but I don't understand how it happened and how I can solve properly this problem.
This data is not sensitive but it's a potential problem for other data.
Thanks in advance for your advice.
Clement