The problem is that simply hiding the GUI will not present someone from running CACLS or ICACLS which are native depending on you version of the OS.
Sure, that requires a level of sophistication, but not that much more than a standard user. A google search will put you right there. Sent from my Verizon Wireless BlackBerry -----Original Message----- From: James Rankin <[email protected]> Date: Wed, 13 Jan 2010 16:57:23 To: NT System Admin Issues<[email protected]> Subject: Re: Users Setting NTFS Permissions It behaves exactly the same (for me anyway) after the permissions are removed - creating user is named as owner on the security tab and has the appropriate permissions rights to go with it. And after setting the owner with subinacl. Digging around in all this is making me glad I've set the security tab to hidden. I'm considering running the subinacl command as a scheduled task as well, as I can see multiple owners on parts of my data structure. 2010/1/13 <[email protected]> > What about users who create folders after the permissions are removed? > > You have to do it from the very beginning, or manually reset the perms > after the fact as Jonathan has indicated earlier. > > There is a special set of rights that are implicitly granted, but the > removal of Creator/Owner should address that. > > I'll test it later today to verify. > > > Sent from my Verizon Wireless BlackBerry > ------------------------------ > *From: * James Rankin <[email protected]> > *Date: *Wed, 13 Jan 2010 16:16:07 +0000 > *To: *NT System Admin Issues<[email protected]> > *Subject: *Re: Users Setting NTFS Permissions > > Hmmm....I've removed it and it is still listing users who have created > folders as the owner. It's definitely not on the ACL... > > 2010/1/13 <[email protected]> > >> Creator/Owner is inherited and can be removed easily enough. Far easier to >> maintain. >> >> Sent from my Verizon Wireless BlackBerry >> ------------------------------ >> *From: * James Rankin <[email protected]> >> *Date: *Wed, 13 Jan 2010 13:20:52 +0000 >> *To: *NT System Admin Issues<[email protected]> >> *Subject: *Re: Users Setting NTFS Permissions >> >> I normally just give the groups RWXD, but the Creator Owner privilege >> appears by default on newly created folders. Without removing the ability to >> create folders and/or run subinacl scripts to take ownership, I find >> removing the GUI to change the permissions is the easiest option. >> >> 2010/1/13 Jonathan Link <[email protected]> >> >>> Isn't that just obfuscation? I thought the ability to change permissions >>> was granted by the Full Control right. If that's the case, pull >>> Creator/Owner Full control from your file system and reassign permissions >>> accordingly. >>> >>> >>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin <[email protected]>wrote: >>> >>>> Prevent access to the rshx32.dll file on all your workstations and >>>> servers to Administrators and System only. You can do this with a GPO. The >>>> user can't access the security tab then and can't change permissions. >>>> Unless >>>> they know how to use cacls. You could lock the permissions on that file as >>>> well through Group Policy. >>>> >>>> 2010/1/13 Terri Esham <[email protected]> >>>> >>>> We have a Windows 2008 Domain whereby we control access to folders >>>>> stored on one of the domain controllers through Active Directory >>>>> groups. When a new folder is created on the network file server, we >>>>> grant full permissions to the associated active directory group with >>>>> the >>>>> exception of the ability to set and change permissions. >>>>> >>>>> We just discovered that a user can grant permissions to any folder that >>>>> they create under the primary folder because they are the folder >>>>> owner. Obviously, I can change ownership to the domain admin, but how >>>>> in the world would I keep up with this. I've no idea when a user might >>>>> create a sub folder. I stumbled upon the problem because I found a >>>>> folder whereby a user had granted the everyone group full rights. I >>>>> knew none of the domain admins would do that. After talking with the >>>>> owner of the folder, I found out he's been doing it all along. >>>>> >>>>> Wow! This is a real problem for us because we want to control access >>>>> through groups. This one user had shared a bunch of folders using >>>>> individual names. Plus, he had no clue what he was doing and just >>>>> granted everyone full rights. >>>>> >>>>> How in the world do you guys handle this? Am I missing something? >>>>> >>>>> Thanks, Terri >>>>> >>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>> >>>> >>>> >>>> >>>> -- >>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>> into the machine wrong figures, will the right answers come out?' I am not >>>> able rightly to apprehend the kind of confusion of ideas that could provoke >>>> such a question." >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
