Bill, I've seen firsthand where someone sets their own folder's NTFS persmissions and excludes all the system privleges for admin, backup, etc ... and it doesn't really become known without the time to do constant reviews of the permissions ( not likely ) *OR* when the user has a problem and wants their files restored from backup, which they excluded by their NTFS settings ... sometimes preventing end users from setting permissions helps to keep them from shooting themselves in the foot, and if the data loss is strategic, it can impact more than just that user.
On Wed, Jan 13, 2010 at 6:23 PM, Bill Songstad <[email protected]> wrote: > I'm curious why you are concerned that an employee empowered to create a > folder in your domain should not be allowed to set access rights to it. Why > disallow them the ability to control access if you as a domain admin can > seize control if need be? > > It's not like the everyone group includes anyone not in a an existing > domain security group. Its not like NT or W2K where the everyone > group included the anonymous group. Its only authenticated domain users > (and maybe machines). > > If this is a case where an employee might share confidential information > with those who should not see it, well that is a behavior/training issue, > because if they want to share that info, locking their ability to set acls > on that folder is not going to prevent them. > > Bill > > On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham <[email protected]> wrote: > >> We have a Windows 2008 Domain whereby we control access to folders >> stored on one of the domain controllers through Active Directory >> groups. When a new folder is created on the network file server, we >> grant full permissions to the associated active directory group with the >> exception of the ability to set and change permissions. >> >> We just discovered that a user can grant permissions to any folder that >> they create under the primary folder because they are the folder >> owner. Obviously, I can change ownership to the domain admin, but how >> in the world would I keep up with this. I've no idea when a user might >> create a sub folder. I stumbled upon the problem because I found a >> folder whereby a user had granted the everyone group full rights. I >> knew none of the domain admins would do that. After talking with the >> owner of the folder, I found out he's been doing it all along. >> >> Wow! This is a real problem for us because we want to control access >> through groups. This one user had shared a bunch of folders using >> individual names. Plus, he had no clue what he was doing and just >> granted everyone full rights. >> >> How in the world do you guys handle this? Am I missing something? >> >> Thanks, Terri >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
