You'll need to get rid of that permission setting in addition to changing the owner. Or not. Your approach is probably enough, too.
On Wed, Jan 13, 2010 at 12:19 PM, James Rankin <[email protected]>wrote: > On the folder they've created, it seems so. Not any of the other folders > already there though. > > 2010/1/13 Jonathan Link <[email protected]> > >> Do the users still have full control permission? >> >> >> On Wed, Jan 13, 2010 at 11:57 AM, James Rankin <[email protected]>wrote: >> >>> It behaves exactly the same (for me anyway) after the permissions are >>> removed - creating user is named as owner on the security tab and has the >>> appropriate permissions rights to go with it. And after setting the owner >>> with subinacl. Digging around in all this is making me glad I've set the >>> security tab to hidden. I'm considering running the subinacl command as a >>> scheduled task as well, as I can see multiple owners on parts of my data >>> structure. >>> >>> >>> 2010/1/13 <[email protected]> >>> >>>> What about users who create folders after the permissions are removed? >>>> >>>> You have to do it from the very beginning, or manually reset the perms >>>> after the fact as Jonathan has indicated earlier. >>>> >>>> There is a special set of rights that are implicitly granted, but the >>>> removal of Creator/Owner should address that. >>>> >>>> I'll test it later today to verify. >>>> >>>> >>>> Sent from my Verizon Wireless BlackBerry >>>> ------------------------------ >>>> *From: *James Rankin <[email protected]> >>>> *Date: *Wed, 13 Jan 2010 16:16:07 +0000 >>>> *To: *NT System Admin Issues<[email protected]> >>>> *Subject: *Re: Users Setting NTFS Permissions >>>> >>>> Hmmm....I've removed it and it is still listing users who have created >>>> folders as the owner. It's definitely not on the ACL... >>>> >>>> 2010/1/13 <[email protected]> >>>> >>>>> Creator/Owner is inherited and can be removed easily enough. Far easier >>>>> to maintain. >>>>> >>>>> Sent from my Verizon Wireless BlackBerry >>>>> ------------------------------ >>>>> *From: *James Rankin <[email protected]> >>>>> *Date: *Wed, 13 Jan 2010 13:20:52 +0000 >>>>> *To: *NT System Admin Issues<[email protected]> >>>>> *Subject: *Re: Users Setting NTFS Permissions >>>>> >>>>> I normally just give the groups RWXD, but the Creator Owner privilege >>>>> appears by default on newly created folders. Without removing the ability >>>>> to >>>>> create folders and/or run subinacl scripts to take ownership, I find >>>>> removing the GUI to change the permissions is the easiest option. >>>>> >>>>> 2010/1/13 Jonathan Link <[email protected]> >>>>> >>>>>> Isn't that just obfuscation? I thought the ability to change >>>>>> permissions was granted by the Full Control right. If that's the case, >>>>>> pull >>>>>> Creator/Owner Full control from your file system and reassign permissions >>>>>> accordingly. >>>>>> >>>>>> >>>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin >>>>>> <[email protected]>wrote: >>>>>> >>>>>>> Prevent access to the rshx32.dll file on all your workstations and >>>>>>> servers to Administrators and System only. You can do this with a GPO. >>>>>>> The >>>>>>> user can't access the security tab then and can't change permissions. >>>>>>> Unless >>>>>>> they know how to use cacls. You could lock the permissions on that file >>>>>>> as >>>>>>> well through Group Policy. >>>>>>> >>>>>>> 2010/1/13 Terri Esham <[email protected]> >>>>>>> >>>>>>> We have a Windows 2008 Domain whereby we control access to folders >>>>>>>> stored on one of the domain controllers through Active Directory >>>>>>>> groups. When a new folder is created on the network file server, we >>>>>>>> grant full permissions to the associated active directory group with >>>>>>>> the >>>>>>>> exception of the ability to set and change permissions. >>>>>>>> >>>>>>>> We just discovered that a user can grant permissions to any folder >>>>>>>> that >>>>>>>> they create under the primary folder because they are the folder >>>>>>>> owner. Obviously, I can change ownership to the domain admin, but >>>>>>>> how >>>>>>>> in the world would I keep up with this. I've no idea when a user >>>>>>>> might >>>>>>>> create a sub folder. I stumbled upon the problem because I found a >>>>>>>> folder whereby a user had granted the everyone group full rights. I >>>>>>>> knew none of the domain admins would do that. After talking with >>>>>>>> the >>>>>>>> owner of the folder, I found out he's been doing it all along. >>>>>>>> >>>>>>>> Wow! This is a real problem for us because we want to control >>>>>>>> access >>>>>>>> through groups. This one user had shared a bunch of folders using >>>>>>>> individual names. Plus, he had no clue what he was doing and just >>>>>>>> granted everyone full rights. >>>>>>>> >>>>>>>> How in the world do you guys handle this? Am I missing something? >>>>>>>> >>>>>>>> Thanks, Terri >>>>>>>> >>>>>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>>>>> into the machine wrong figures, will the right answers come out?' I am >>>>>>> not >>>>>>> able rightly to apprehend the kind of confusion of ideas that could >>>>>>> provoke >>>>>>> such a question." >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>>> into the machine wrong figures, will the right answers come out?' I am not >>>>> able rightly to apprehend the kind of confusion of ideas that could >>>>> provoke >>>>> such a question." >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put >>>> into the machine wrong figures, will the right answers come out?' I am not >>>> able rightly to apprehend the kind of confusion of ideas that could provoke >>>> such a question." >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> -- >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> >>> >>> >>> >>> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
