That's perfect. Thanks, Terri
Miller Bonnie L. said the following on 1/14/2010 11:08 AM: > > Have you considered removing the security tab via gpo? We use this > for students. > > > > \User configuration\Administrative Templates\Windows > Components\Windows Explorer > > Remove Security Tab > > > > -Bonnie > > > > *From:* James Rankin [mailto:kz2...@googlemail.com] > *Sent:* Thursday, January 14, 2010 6:28 AM > *To:* NT System Admin Issues > *Subject:* Re: Users Setting NTFS Permissions > > > > That's an interesting point, I forgot about the cumulative effects of > share and NTFS permissions. I always leave the share permissions as > Everyone:Full so that everything is controlled by NTFS. It's one less > place to look when you are troubleshooting an access issue. > > I might run some tests on the combination of share and NTFS and see if > it works any different. > > 2010/1/14 Andrew S. Baker <asbz...@gmail.com <mailto:asbz...@gmail.com>> > > What share rights do your users have? > > If your users have share rights of CHANGE and only administrators have > share rights of FULL CONTROL, this problem should be averted, as the > combination of file & share perms would prevent the problem being > addressed here. > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Providing Competitive Advantage through Effective IT Leadership* > > > > On Wed, Jan 13, 2010 at 11:57 AM, James Rankin <kz2...@googlemail.com > <mailto:kz2...@googlemail.com>> wrote: > > It behaves exactly the same (for me anyway) after the permissions > are removed - creating user is named as owner on the security tab > and has the appropriate permissions rights to go with it. And > after setting the owner with subinacl. Digging around in all this > is making me glad I've set the security tab to hidden. I'm > considering running the subinacl command as a scheduled task as > well, as I can see multiple owners on parts of my data structure. > > > > 2010/1/13 <asbz...@gmail.com <mailto:asbz...@gmail.com>> > > What about users who create folders after the permissions are > removed? > > You have to do it from the very beginning, or manually reset > the perms after the fact as Jonathan has indicated earlier. > > There is a special set of rights that are implicitly granted, > but the removal of Creator/Owner should address that. > > I'll test it later today to verify. > > > > Sent from my Verizon Wireless BlackBerry > > > ------------------------------------------------------------------------ > > *From: *James Rankin <kz2...@googlemail.com > <mailto:kz2...@googlemail.com>> > > *Date: *Wed, 13 Jan 2010 16:16:07 +0000 > > *To: *NT System Admin > Issues<ntsysadmin@lyris.sunbelt-software.com > <mailto:ntsysadmin@lyris.sunbelt-software.com>> > > *Subject: *Re: Users Setting NTFS Permissions > > > > Hmmm....I've removed it and it is still listing users who > have created folders as the owner. It's definitely not on the > ACL... > > 2010/1/13 <asbz...@gmail.com <mailto:asbz...@gmail.com>> > > Creator/Owner is inherited and can be removed easily > enough. Far easier to maintain. > > Sent from my Verizon Wireless BlackBerry > > > ------------------------------------------------------------------------ > > *From: *James Rankin <kz2...@googlemail.com > <mailto:kz2...@googlemail.com>> > > *Date: *Wed, 13 Jan 2010 13:20:52 +0000 > > *To: *NT System Admin > Issues<ntsysadmin@lyris.sunbelt-software.com > <mailto:ntsysadmin@lyris.sunbelt-software.com>> > > *Subject: *Re: Users Setting NTFS Permissions > > > > I normally just give the groups RWXD, but the Creator > Owner privilege appears by default on newly created > folders. Without removing the ability to create folders > and/or run subinacl scripts to take ownership, I find > removing the GUI to change the permissions is the easiest > option. > > 2010/1/13 Jonathan Link <jonathan.l...@gmail.com > <mailto:jonathan.l...@gmail.com>> > > Isn't that just obfuscation? I thought the ability to > change permissions was granted by the Full Control > right. If that's the case, pull Creator/Owner Full > control from your file system and reassign permissions > accordingly. > > > > On Wed, Jan 13, 2010 at 7:11 AM, James Rankin > <kz2...@googlemail.com <mailto:kz2...@googlemail.com>> > wrote: > > Prevent access to the rshx32.dll file on all your > workstations and servers to Administrators and > System only. You can do this with a GPO. The user > can't access the security tab then and can't > change permissions. Unless they know how to use > cacls. You could lock the permissions on that file > as well through Group Policy. > > 2010/1/13 Terri Esham <terri.es...@noaa.gov > <mailto:terri.es...@noaa.gov>> > > > > We have a Windows 2008 Domain whereby we > control access to folders > stored on one of the domain controllers > through Active Directory > groups. When a new folder is created on the > network file server, we > grant full permissions to the associated > active directory group with the > exception of the ability to set and change > permissions. > > We just discovered that a user can grant > permissions to any folder that > they create under the primary folder because > they are the folder > owner. Obviously, I can change ownership to > the domain admin, but how > in the world would I keep up with this. I've > no idea when a user might > create a sub folder. I stumbled upon the > problem because I found a > folder whereby a user had granted the everyone > group full rights. I > knew none of the domain admins would do that. > After talking with the > owner of the folder, I found out he's been > doing it all along. > > Wow! This is a real problem for us because we > want to control access > through groups. This one user had shared a > bunch of folders using > individual names. Plus, he had no clue what > he was doing and just > granted everyone full rights. > > How in the world do you guys handle this? Am > I missing something? > > Thanks, Terri > > ~ Finally, powerful endpoint security that > ISN'T a resource hog! ~ > ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ > > > > -- > "On two occasions...I have been asked, 'Pray, Mr > Babbage, if you put into the machine wrong > figures, will the right answers come out?' I am > not able rightly to apprehend the kind of > confusion of ideas that could provoke such a > question." > > > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, > if you put into the machine wrong figures, will the right > answers come out?' I am not able rightly to apprehend the > kind of confusion of ideas that could provoke such a > question." > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if > you put into the machine wrong figures, will the right answers > come out?' I am not able rightly to apprehend the kind of > confusion of ideas that could provoke such a question." > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you > put into the machine wrong figures, will the right answers come > out?' I am not able rightly to apprehend the kind of confusion of > ideas that could provoke such a question." > > > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put > into the machine wrong figures, will the right answers come out?' I am > not able rightly to apprehend the kind of confusion of ideas that > could provoke such a question." > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
