Hmmm....I've removed it and it is still listing users who have created folders as the owner. It's definitely not on the ACL...
2010/1/13 <[email protected]> > Creator/Owner is inherited and can be removed easily enough. Far easier to > maintain. > > Sent from my Verizon Wireless BlackBerry > ------------------------------ > *From: * James Rankin <[email protected]> > *Date: *Wed, 13 Jan 2010 13:20:52 +0000 > *To: *NT System Admin Issues<[email protected]> > *Subject: *Re: Users Setting NTFS Permissions > > I normally just give the groups RWXD, but the Creator Owner privilege > appears by default on newly created folders. Without removing the ability to > create folders and/or run subinacl scripts to take ownership, I find > removing the GUI to change the permissions is the easiest option. > > 2010/1/13 Jonathan Link <[email protected]> > >> Isn't that just obfuscation? I thought the ability to change permissions >> was granted by the Full Control right. If that's the case, pull >> Creator/Owner Full control from your file system and reassign permissions >> accordingly. >> >> >> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin <[email protected]>wrote: >> >>> Prevent access to the rshx32.dll file on all your workstations and >>> servers to Administrators and System only. You can do this with a GPO. The >>> user can't access the security tab then and can't change permissions. Unless >>> they know how to use cacls. You could lock the permissions on that file as >>> well through Group Policy. >>> >>> 2010/1/13 Terri Esham <[email protected]> >>> >>> We have a Windows 2008 Domain whereby we control access to folders >>>> stored on one of the domain controllers through Active Directory >>>> groups. When a new folder is created on the network file server, we >>>> grant full permissions to the associated active directory group with the >>>> exception of the ability to set and change permissions. >>>> >>>> We just discovered that a user can grant permissions to any folder that >>>> they create under the primary folder because they are the folder >>>> owner. Obviously, I can change ownership to the domain admin, but how >>>> in the world would I keep up with this. I've no idea when a user might >>>> create a sub folder. I stumbled upon the problem because I found a >>>> folder whereby a user had granted the everyone group full rights. I >>>> knew none of the domain admins would do that. After talking with the >>>> owner of the folder, I found out he's been doing it all along. >>>> >>>> Wow! This is a real problem for us because we want to control access >>>> through groups. This one user had shared a bunch of folders using >>>> individual names. Plus, he had no clue what he was doing and just >>>> granted everyone full rights. >>>> >>>> How in the world do you guys handle this? Am I missing something? >>>> >>>> Thanks, Terri >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> >>> >>> >>> >>> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
