While rebuilding a piece of my lab for file server and DFS services, I had an odd set of symptoms. I had a user in a security group that was not set to be able to change permissions, and no ability to take ownership, in the NTFS permissions. Yet they were able to add permissions to give others elevated access, or even elevate their own access.
It turns out I’d forgotten the share permission side, where this still had some debug settings; in particular, that “Authenticated Users” had full control. Have you ever really messed with those share permissions? Usually we rush right on and do
Everyone -> Full Control and then lock it down with NTFS permissions later. But, have you ever tried just doing Change and Read and leaving Full Control off? It’s actually what you’re usually trying to accomplish, and gives you a little head start in that you don’t have to hope you don’t get a clever end-user later that elevates their own NTFS permissions.