We have discovered a very strange issue on our file-server (2012 R2).
We have a folder structure like this:
\\Server\Root\Folder1\Folder2\ with the following breakdown:
Shared Root folder via DFS \\Server\Root\
Permissions: R&E for custom security group "all" in which all domain users are members.
This "root" folder contains another folder called "Folder1".
Permissions: Inherited permissions from "Root" plus a new security group "access group 1" with Full Access permissions (of which "problemuser" is a member)
This "Folder1" now contains another folder called "Folder2".
Permissions: inherited permissions disabled. Instead only two user accounts "user1" and "user2" are allowed by modify access.
This "Folder2" contais a number of subfolders accessible only to "user1" and "user2". At least that's what we thought. It turns out that one other domain user "problemuser" is able to access "Folder2" and list all sub-folders. However this user is unable to move into any of the sub-folders (gets access denied).
Very strange we thought, but as a solution we added "problemuser"-account to the ACL and gave it deny all permissions. Even so, the user can still access the folder. We have tested with several other user accounts that are members of the same "access group 1" and none of them are able to access "Folder2".
We are stunned. Anyone experienced something similar? The user in question is a standard user with no special group memberships.
Except the above mentioned permissions, the following are inherited from "Root"; creator owner has special permissions on all folders and SYSTEM is full access on all folders and Administrators is full access.