prevent folder ownership

Is there a way to prevent users becoming the owner of any subfolders that they create - The aim is to prevent them from being able to change permissions on any folders they create within shares. I imagine its got something to do with the CREATOR OWNER permissions. I've tried playing around with this at the root of the share so its modified permissions inherit to sub folders but havent had any joy,

any help much appreciated!

Find more posts tagged with

Comments

wastedtime

If I am not mistaken under security > advanced > permissions > edit the group/user and disallow take ownership and change permissions.

Gav0

I just tried this but with no joy. created a share with share = everyone FULL and NTFS Users = Read.
Created a local group called Test and a directory called test & and added a couple of users to the Test group.

then security > advanced > permissions > edit the Test group and disallow take ownership and change permissions on teh Test folder.

accessed the share/test folder and created sub-folders with the user accounts that belong to the Test group - successfully denied users full control of the sub folders

wastedtime

Is there a reason you are trying to specifically deny them to take ownership?

Gav0

Yeah the idea is that users can create their own sub-folders but dont have full control. I dont want them to be able to modify any permissions on the folders they create - all permissions need to be inherited from the root,

if joe bloggs creates a load of sub-folders and sets random permissions on all the folders and then leaves - its an admin overhead to then go round resetting them all

wastedtime

Take ownership and change permissions should take care of that. Are sure that you just had those permissions on the folder/file? The stuff they create they will have ownership but they shouldn't be able to change the permissions or take ownership of other files. There aren't any permissions inherited is there?

RobertKaucher

Gav0 wrote: »

Yeah the idea is that users can create their own sub-folders but dont have full control. I dont want them to be able to modify any permissions on the folders they create - all permissions need to be inherited from the root,

if joe bloggs creates a load of sub-folders and sets random permissions on all the folders and then leaves - its an admin overhead to then go round resetting them all

It is built into NTFS that accounts always have ownership and therefore the ability to change permissions on the files/folders they create. The only thing I could imagine is that you do one of the following:

1. Create a script that runs under an admin account, takes ownership of the folders and set the permissions on the folders/files so that users are denied the ability to change permissions.

2. Write a script that does the same and only use it when you need to because of the situation you mentioned above.

wastedtime

Ya, like he said.

Gav0

thanks for all the replies. Im not sure that a script would be the answer -i was looking for a prevention rather than a cure.

Some guy in a class i was in for CIFS shares on Netapps said that they do it via GPO where he works and there was some mumbled agreements from other members of the class so i thought it was fairly common and acheivable

the search continues.....

RobertKaucher

There is a GPO that relates to the ownership of objects such as files and folders, but it only limits accounts that can TAKE ownership of objects. It does not change that fact that the "Creator Owner" is the account that created the object. You can use group policy to remove the security tab so that they cannot change the permissions via the tab, but that does not prevent them from changing permissions. It only prevents them from changing permissions via the security tab. But maybe that is all you need?

http://support.microsoft.com/kb/303153

Hyper-Me

Although I see where your concerns lie, the amount of administrative effort is greatly reduced in situations like these when you use the tools to reset perms on all child objects, or something like SUBINACL

http://www.google.com/url?q=http://www.microsoft.com/downloads/details.aspx%3FFamilyID%3DE8BA3E56-D8FE-4A91-93CF-ED6985E3927B&ei=37KySsupM-mvtgf3jsWzDg&sa=X&oi=spellmeleon_result&resnum=1&ct=result&usg=AFQjCNEzdP2hh12ad_hXf5yJEYJ85q02iA

RobertKaucher

I hate to be a thread necromancer here, but I learned something very cool about permissions used by Vista/Server 2008. Using the "Owner Rights" SID you can actually accomplish what the OP wants to achieve. This would limit the rights of the CreaterOwner making it so they would not have FC permissions.

Security Identifiers (SIDs) New for Windows Vista