What about users who create folders after the permissions are removed? You have to do it from the very beginning, or manually reset the perms after the fact as Jonathan has indicated earlier.
There is a special set of rights that are implicitly granted, but the removal of Creator/Owner should address that. I'll test it later today to verify. Sent from my Verizon Wireless BlackBerry -----Original Message----- From: James Rankin <kz2...@googlemail.com> Date: Wed, 13 Jan 2010 16:16:07 To: NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> Subject: Re: Users Setting NTFS Permissions Hmmm....I've removed it and it is still listing users who have created folders as the owner. It's definitely not on the ACL... 2010/1/13 <asbz...@gmail.com> > Creator/Owner is inherited and can be removed easily enough. Far easier to > maintain. > > Sent from my Verizon Wireless BlackBerry > ------------------------------ > *From: * James Rankin <kz2...@googlemail.com> > *Date: *Wed, 13 Jan 2010 13:20:52 +0000 > *To: *NT System Admin Issues<ntsysadmin@lyris.sunbelt-software.com> > *Subject: *Re: Users Setting NTFS Permissions > > I normally just give the groups RWXD, but the Creator Owner privilege > appears by default on newly created folders. Without removing the ability to > create folders and/or run subinacl scripts to take ownership, I find > removing the GUI to change the permissions is the easiest option. > > 2010/1/13 Jonathan Link <jonathan.l...@gmail.com> > >> Isn't that just obfuscation? I thought the ability to change permissions >> was granted by the Full Control right. If that's the case, pull >> Creator/Owner Full control from your file system and reassign permissions >> accordingly. >> >> >> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin <kz2...@googlemail.com>wrote: >> >>> Prevent access to the rshx32.dll file on all your workstations and >>> servers to Administrators and System only. You can do this with a GPO. The >>> user can't access the security tab then and can't change permissions. Unless >>> they know how to use cacls. You could lock the permissions on that file as >>> well through Group Policy. >>> >>> 2010/1/13 Terri Esham <terri.es...@noaa.gov> >>> >>> We have a Windows 2008 Domain whereby we control access to folders >>>> stored on one of the domain controllers through Active Directory >>>> groups. When a new folder is created on the network file server, we >>>> grant full permissions to the associated active directory group with the >>>> exception of the ability to set and change permissions. >>>> >>>> We just discovered that a user can grant permissions to any folder that >>>> they create under the primary folder because they are the folder >>>> owner. Obviously, I can change ownership to the domain admin, but how >>>> in the world would I keep up with this. I've no idea when a user might >>>> create a sub folder. I stumbled upon the problem because I found a >>>> folder whereby a user had granted the everyone group full rights. I >>>> knew none of the domain admins would do that. After talking with the >>>> owner of the folder, I found out he's been doing it all along. >>>> >>>> Wow! This is a real problem for us because we want to control access >>>> through groups. This one user had shared a bunch of folders using >>>> individual names. Plus, he had no clue what he was doing and just >>>> granted everyone full rights. >>>> >>>> How in the world do you guys handle this? Am I missing something? >>>> >>>> Thanks, Terri >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> >>> >>> >>> >>> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
