On the folder they've created, it seems so. Not any of the other folders already there though.
2010/1/13 Jonathan Link <[email protected]> > Do the users still have full control permission? > > > On Wed, Jan 13, 2010 at 11:57 AM, James Rankin <[email protected]>wrote: > >> It behaves exactly the same (for me anyway) after the permissions are >> removed - creating user is named as owner on the security tab and has the >> appropriate permissions rights to go with it. And after setting the owner >> with subinacl. Digging around in all this is making me glad I've set the >> security tab to hidden. I'm considering running the subinacl command as a >> scheduled task as well, as I can see multiple owners on parts of my data >> structure. >> >> >> 2010/1/13 <[email protected]> >> >>> What about users who create folders after the permissions are removed? >>> >>> You have to do it from the very beginning, or manually reset the perms >>> after the fact as Jonathan has indicated earlier. >>> >>> There is a special set of rights that are implicitly granted, but the >>> removal of Creator/Owner should address that. >>> >>> I'll test it later today to verify. >>> >>> >>> Sent from my Verizon Wireless BlackBerry >>> ------------------------------ >>> *From: *James Rankin <[email protected]> >>> *Date: *Wed, 13 Jan 2010 16:16:07 +0000 >>> *To: *NT System Admin Issues<[email protected]> >>> *Subject: *Re: Users Setting NTFS Permissions >>> >>> Hmmm....I've removed it and it is still listing users who have created >>> folders as the owner. It's definitely not on the ACL... >>> >>> 2010/1/13 <[email protected]> >>> >>>> Creator/Owner is inherited and can be removed easily enough. Far easier >>>> to maintain. >>>> >>>> Sent from my Verizon Wireless BlackBerry >>>> ------------------------------ >>>> *From: *James Rankin <[email protected]> >>>> *Date: *Wed, 13 Jan 2010 13:20:52 +0000 >>>> *To: *NT System Admin Issues<[email protected]> >>>> *Subject: *Re: Users Setting NTFS Permissions >>>> >>>> I normally just give the groups RWXD, but the Creator Owner privilege >>>> appears by default on newly created folders. Without removing the ability >>>> to >>>> create folders and/or run subinacl scripts to take ownership, I find >>>> removing the GUI to change the permissions is the easiest option. >>>> >>>> 2010/1/13 Jonathan Link <[email protected]> >>>> >>>>> Isn't that just obfuscation? I thought the ability to change >>>>> permissions was granted by the Full Control right. If that's the case, >>>>> pull >>>>> Creator/Owner Full control from your file system and reassign permissions >>>>> accordingly. >>>>> >>>>> >>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin >>>>> <[email protected]>wrote: >>>>> >>>>>> Prevent access to the rshx32.dll file on all your workstations and >>>>>> servers to Administrators and System only. You can do this with a GPO. >>>>>> The >>>>>> user can't access the security tab then and can't change permissions. >>>>>> Unless >>>>>> they know how to use cacls. You could lock the permissions on that file >>>>>> as >>>>>> well through Group Policy. >>>>>> >>>>>> 2010/1/13 Terri Esham <[email protected]> >>>>>> >>>>>> We have a Windows 2008 Domain whereby we control access to folders >>>>>>> stored on one of the domain controllers through Active Directory >>>>>>> groups. When a new folder is created on the network file server, we >>>>>>> grant full permissions to the associated active directory group with >>>>>>> the >>>>>>> exception of the ability to set and change permissions. >>>>>>> >>>>>>> We just discovered that a user can grant permissions to any folder >>>>>>> that >>>>>>> they create under the primary folder because they are the folder >>>>>>> owner. Obviously, I can change ownership to the domain admin, but >>>>>>> how >>>>>>> in the world would I keep up with this. I've no idea when a user >>>>>>> might >>>>>>> create a sub folder. I stumbled upon the problem because I found a >>>>>>> folder whereby a user had granted the everyone group full rights. I >>>>>>> knew none of the domain admins would do that. After talking with the >>>>>>> owner of the folder, I found out he's been doing it all along. >>>>>>> >>>>>>> Wow! This is a real problem for us because we want to control access >>>>>>> through groups. This one user had shared a bunch of folders using >>>>>>> individual names. Plus, he had no clue what he was doing and just >>>>>>> granted everyone full rights. >>>>>>> >>>>>>> How in the world do you guys handle this? Am I missing something? >>>>>>> >>>>>>> Thanks, Terri >>>>>>> >>>>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>>>> into the machine wrong figures, will the right answers come out?' I am >>>>>> not >>>>>> able rightly to apprehend the kind of confusion of ideas that could >>>>>> provoke >>>>>> such a question." >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>> into the machine wrong figures, will the right answers come out?' I am not >>>> able rightly to apprehend the kind of confusion of ideas that could provoke >>>> such a question." >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
