I normally just give the groups RWXD, but the Creator Owner privilege appears by default on newly created folders. Without removing the ability to create folders and/or run subinacl scripts to take ownership, I find removing the GUI to change the permissions is the easiest option.
2010/1/13 Jonathan Link <jonathan.l...@gmail.com> > Isn't that just obfuscation? I thought the ability to change permissions > was granted by the Full Control right. If that's the case, pull > Creator/Owner Full control from your file system and reassign permissions > accordingly. > > > On Wed, Jan 13, 2010 at 7:11 AM, James Rankin <kz2...@googlemail.com>wrote: > >> Prevent access to the rshx32.dll file on all your workstations and servers >> to Administrators and System only. You can do this with a GPO. The user >> can't access the security tab then and can't change permissions. Unless they >> know how to use cacls. You could lock the permissions on that file as well >> through Group Policy. >> >> 2010/1/13 Terri Esham <terri.es...@noaa.gov> >> >> We have a Windows 2008 Domain whereby we control access to folders >>> stored on one of the domain controllers through Active Directory >>> groups. When a new folder is created on the network file server, we >>> grant full permissions to the associated active directory group with the >>> exception of the ability to set and change permissions. >>> >>> We just discovered that a user can grant permissions to any folder that >>> they create under the primary folder because they are the folder >>> owner. Obviously, I can change ownership to the domain admin, but how >>> in the world would I keep up with this. I've no idea when a user might >>> create a sub folder. I stumbled upon the problem because I found a >>> folder whereby a user had granted the everyone group full rights. I >>> knew none of the domain admins would do that. After talking with the >>> owner of the folder, I found out he's been doing it all along. >>> >>> Wow! This is a real problem for us because we want to control access >>> through groups. This one user had shared a bunch of folders using >>> individual names. Plus, he had no clue what he was doing and just >>> granted everyone full rights. >>> >>> How in the world do you guys handle this? Am I missing something? >>> >>> Thanks, Terri >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~