OK...learning more new stuff...indeed Creator Owner appears to be applied, even though it's not on the ACL, because as Terri says the user creating the folder can indeed modify the permissions (I've just tested on my Windows 2003 file server and can concur). If you look on the Owner tab on the new folder, the creating user is definitely listed as the owner and as such obviously inherits the Creator Owner permission.
I think restricting the permissions on rshx32.dll is the best way forward. That way users can't even access the Security tab under Properties. I don't know how you'd go about ensuring that newly-created folders don't get this "hidden" Creator Owner privilege, save a script that takes ownership of file structures at predetermined intervals (*subinacl *is one tool offhand I've used for doing this). They certainly inherit their base NTFS permissions from the parent, but the user creating it definitely has the permissions to Change Permissions even though they aren't explicitly defined on the ACL. I use a Group Policy Registry permission to set the security on the rshx32.dll file. It definitely stops my users messing with creative permissions sets. 2010/1/13 Terri Esham <[email protected]> > The Creator Owner was already removed under the Security tab so that isn't > enough to stop the user from creating a new folder and granting rights. > What now? > > Terri > > James Rankin said the following on 1/13/2010 10:12 AM: > > Check the ACL at the highest level you want to go, remove Creator/Owner > from the list of security permissions, and ensure that the change propagates > down from the parent > > Better idea (if you can, never tried) is to remove it using cacls and the > /e switch I would think > > 2010/1/13 Terri Esham <[email protected]> > >> How do you remove creator/owner? >> >> Thanks, Terri >> >> James Winzenz said the following on 1/13/2010 9:06 AM: >> >> This is what we do - we remove Creator/Owner when the server is set up, >> don't have to worry about it after that. >> >> Thanks, >> >> James Winzenz >> >> >> >> >> ------------------------------ >> Date: Wed, 13 Jan 2010 08:41:33 -0500 >> Subject: Re: Users Setting NTFS Permissions >> From: [email protected] >> To: [email protected] >> >> That's because the parent folder has creator/owner permissions and any >> newly created folder is inheriting the permission from the parent.. In my >> FS where I've removed creator/owner from the parentI don't see this >> behavior. >> >> On Wed, Jan 13, 2010 at 8:20 AM, James Rankin <[email protected]>wrote: >> >> I normally just give the groups RWXD, but the Creator Owner privilege >> appears by default on newly created folders. Without removing the ability to >> create folders and/or run subinacl scripts to take ownership, I find >> removing the GUI to change the permissions is the easiest option. >> >> 2010/1/13 Jonathan Link <[email protected]> >> >> Isn't that just obfuscation? I thought the ability to change permissions >> was granted by the Full Control right. If that's the case, pull >> Creator/Owner Full control from your file system and reassign permissions >> accordingly. >> >> >> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin <[email protected]>wrote: >> >> Prevent access to the rshx32.dll file on all your workstations and servers >> to Administrators and System only. You can do this with a GPO. The user >> can't access the security tab then and can't change permissions. Unless they >> know how to use cacls. You could lock the permissions on that file as well >> through Group Policy. >> >> 2010/1/13 Terri Esham <[email protected]> >> >> We have a Windows 2008 Domain whereby we control access to folders >> stored on one of the domain controllers through Active Directory >> groups. When a new folder is created on the network file server, we >> grant full permissions to the associated active directory group with the >> exception of the ability to set and change permissions. >> >> We just discovered that a user can grant permissions to any folder that >> they create under the primary folder because they are the folder >> owner. Obviously, I can change ownership to the domain admin, but how >> in the world would I keep up with this. I've no idea when a user might >> create a sub folder. I stumbled upon the problem because I found a >> folder whereby a user had granted the everyone group full rights. I >> knew none of the domain admins would do that. After talking with the >> owner of the folder, I found out he's been doing it all along. >> >> Wow! This is a real problem for us because we want to control access >> through groups. This one user had shared a bunch of folders using >> individual names. Plus, he had no clue what he was doing and just >> granted everyone full rights. >> >> How in the world do you guys handle this? Am I missing something? >> >> Thanks, Terri >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> ------------------------------ >> Hotmail: Trusted email with powerful SPAM protection. Sign up >> now.<http://clk.atdmt.com/GBL/go/196390707/direct/01/> >> >> >> >> >> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
