Here’s an interesting report that crossed my transom today.
An administrator of a domain-joined machine created a share, and wanted to make sure that it could only be reached by the administrators and local accounts on the machine (service accounts, basically).
So, he created the share, and edited its permissions – removed “Everyone”, added “Administrators” and “Users”; clicked OK and went away.
Domain users still had access to the share – and this somewhat worried the administrator. But, after some time considering, he thinks he has the answer, and removes “MyDomain\Domain Users” from the “Users” group; clicks OK and went away.
Surprise – domain users still have access to the share.
Before I give away the secret of how, can you see it for yourselves?