Because there is plenty of information within an organisation that shouldn't necessarily be accessible to everyone in the organisation. Everything from HR information, payroll information, accounting information, IT information...
If users are mistakenly sharing out information to "Everyone" because they don't know how to do it better (and potentially refuse to understand, even given training) then you need to look at other methods (be they technical implementations, or removing the user's ability to do this, or fire the employee). Cheers Ken From: Bill Songstad [mailto:bsongs...@gmail.com] Sent: Thursday, 14 January 2010 10:23 AM To: NT System Admin Issues Subject: Re: Users Setting NTFS Permissions I'm curious why you are concerned that an employee empowered to create a folder in your domain should not be allowed to set access rights to it. Why disallow them the ability to control access if you as a domain admin can seize control if need be? It's not like the everyone group includes anyone not in a an existing domain security group. Its not like NT or W2K where the everyone group included the anonymous group. Its only authenticated domain users (and maybe machines). If this is a case where an employee might share confidential information with those who should not see it, well that is a behavior/training issue, because if they want to share that info, locking their ability to set acls on that folder is not going to prevent them. Bill On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham <terri.es...@noaa.gov<mailto:terri.es...@noaa.gov>> wrote: We have a Windows 2008 Domain whereby we control access to folders stored on one of the domain controllers through Active Directory groups. When a new folder is created on the network file server, we grant full permissions to the associated active directory group with the exception of the ability to set and change permissions. We just discovered that a user can grant permissions to any folder that they create under the primary folder because they are the folder owner. Obviously, I can change ownership to the domain admin, but how in the world would I keep up with this. I've no idea when a user might create a sub folder. I stumbled upon the problem because I found a folder whereby a user had granted the everyone group full rights. I knew none of the domain admins would do that. After talking with the owner of the folder, I found out he's been doing it all along. Wow! This is a real problem for us because we want to control access through groups. This one user had shared a bunch of folders using individual names. Plus, he had no clue what he was doing and just granted everyone full rights. How in the world do you guys handle this? Am I missing something? Thanks, Terri ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~