Re: NTFS permissions

[Jonathan Link]

First you have to find the marble in the oatmeal.

On Wed, Sep 21, 2011 at 9:52 AM, David Lum  wrote:

> Thanks. I seem to remember trying to enable this kind of auditing and it
> was like drinking from a fire hose...
>
> Dave
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Tuesday, September 20, 2011 11:01 PM
> To: NT System Admin Issues
> Subject: Re: NTFS permissions
>
> On Tue, Sep 20, 2011 at 1:10 PM, David Lum  wrote:
> > I can turn on logging to capture ACL changes can't I?
>
>  You would need to enable "File access" auditing in Audit Policy (under
> Security Policy in GPO-land).
>
>  You would then need to create SACLs (Security ACLs, used for auditng
> (permissions are DACLs)) on the objects in question (files/folders),
> auditing Success for WRITE_DAC.
>
>  That's the theory, anyway.  In practice, NT generates all kinds of audit
> events for permissions that were simply requested but never used, and it
> turns out that lots of things (including Windows
> Explorer) request everything for everything they do.
>
>  Microsoft eventually introduced some separate event IDs for actually
> *using* the thing being audited.  I don't remember if that had shown up by
> 2003 or not.  And without subcategory audit policies (I'm pretty sure those
> are not in 2003) you still get a ton of useless audit events to slow down
> the system and fill up the log.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: NTFS permissions

[Ben Scott]

On Wed, Sep 21, 2011 at 9:52 AM, David Lum  wrote:
> Thanks. I seem to remember trying to enable this kind of auditing and it
> was like drinking from a fire hose...

  Yah, and sometimes the firehose sprays gasoline instead of water.  :-p

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: NTFS permissions

[David Lum]

Thanks. I seem to remember trying to enable this kind of auditing and it was 
like drinking from a fire hose...

Dave

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, September 20, 2011 11:01 PM
To: NT System Admin Issues
Subject: Re: NTFS permissions

On Tue, Sep 20, 2011 at 1:10 PM, David Lum  wrote:
> I can turn on logging to capture ACL changes can't I?

  You would need to enable "File access" auditing in Audit Policy (under 
Security Policy in GPO-land).

  You would then need to create SACLs (Security ACLs, used for auditng 
(permissions are DACLs)) on the objects in question (files/folders), auditing 
Success for WRITE_DAC.

  That's the theory, anyway.  In practice, NT generates all kinds of audit 
events for permissions that were simply requested but never used, and it turns 
out that lots of things (including Windows
Explorer) request everything for everything they do.

  Microsoft eventually introduced some separate event IDs for actually
*using* the thing being audited.  I don't remember if that had shown up by 2003 
or not.  And without subcategory audit policies (I'm pretty sure those are not 
in 2003) you still get a ton of useless audit events to slow down the system 
and fill up the log.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: NTFS permissions

[Ben Scott]

On Tue, Sep 20, 2011 at 1:10 PM, David Lum  wrote:
> I can turn on logging to capture ACL changes can’t I?

  You would need to enable "File access" auditing in Audit Policy
(under Security Policy in GPO-land).

  You would then need to create SACLs (Security ACLs, used for auditng
(permissions are DACLs)) on the objects in question (files/folders),
auditing Success for WRITE_DAC.

  That's the theory, anyway.  In practice, NT generates all kinds of
audit events for permissions that were simply requested but never
used, and it turns out that lots of things (including Windows
Explorer) request everything for everything they do.

  Microsoft eventually introduced some separate event IDs for actually
*using* the thing being audited.  I don't remember if that had shown
up by 2003 or not.  And without subcategory audit policies (I'm pretty
sure those are not in 2003) you still get a ton of useless audit
events to slow down the system and fill up the log.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Carl Houseman]

I tested on Windows 7.  When trying to open the folder, it offered to give me 
permission and added an ACL for my username to the folder.   Since my UAC 
prompts are disabled I have no idea if there would have also been a UAC prompt 
in the process.

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 6:42 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

You shouldn’t be getting any prompting. I would kill for a UAC prompt :). 
Instead, I just get access denied.

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 5:28 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

You're right, I see it now.  I thought some of the permission prompting I was 
getting was just Explorer.exe being overprotective even when it had permission 
to change something - and I wasn't getting UAC prompts b/c I work with 
prompting disabled.

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 4:20 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Yeah, the cmd is elevated as demonstrated by your test, but explorer isn’t. 
Have you tried the exact scenario I described? Logged in as an admin and try to 
open a folder that has perms only to admin.

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 12:58 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Didn't finish the editing.

If the "x:" worked, then the explorer . should work (started out with a cd /d 
x: in the example, changed it to just x: at the last second).

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 1:49 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Open an elevated cmd prompt.
Type:  
x:  (substitute your drive letter for x:)
explorer .

If the cd /d worked, then the explorer . should also work and is now showing 
you the drive contents.
If the cd /d failed, then either your cmd prompt is not elevated or there are 
other issues with that drive.

Carl

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 12:32 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

I'm not seeing this at all. I’m logging into the machine as a member of the 
local administrators group, trying to access a drive that is permissioned with 
local admins and system full control. Nothing I've tried has let me access the 
drive through explorer, including setting the "launch folder...", using 
"explorer ." or "explorer /separate".

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Monday, February 21, 2011 9:37 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

No need to kill anything.  Just type "explorer ." from an elevated command 
prompt.  Putting a parameter on the command line is important.  You'll get a 
new process that's elevated, regardless of the "launch folder windows in 
separate process" setting.

Carl

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 9:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for c

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

Might as well disable UAC...which is about where I'm at.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 8:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> You can’t actually do a run-as for Windows Explorer. There is only a
>> single
>> process per login, so the run-as doesn’t work as expected.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith
>>
>> Consultant and Exchange MVP
>>
>> http://TheEssentialExchange.com
>>
>>
>>
>> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
>> Sent: Monday, February 21, 2011 8:26 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not consciously no – should it be just to access a hard drive?  I did try
>> running Windows Explorer with “Run as Administrator” and I still got
>> access
>> denied.
>>
>> From: James Rankin [mailto:kz2...@googlemail.com]
>> Sent: 21 February 2011 13:24
>> To: NT System Admin Issues
>> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> UAC turned off?
>>
>> On 21 February 2011 13:19, Paul Hutchings 
>> wrote:
>>
>> Just starting to roll out some 2008 R2 based VM's.
>>
>> I've created a couple of new partitions on one of them, and thought I'd
>> lock
>> the permissions down to the local Administrators group and SYSTEM, but I'm
>> finding that logged onto the server console with an account that clearly
>> is
>> in the local Administrators group I can't access the root of the newly
>> created drives, I simply get "Access Denied".
>>
>> Of course because the account is in the Administrators group it can format
>> the drives and access them quite happily with the default permissions in
>> place.
>>
>>
>>
>> I suspect I’m missing something obvious but I’m not sure exactly what –
>> any
>> suggestions please?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>> 
>>
>> MIRA Ltd
>>
>>
>>
>> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
>>
>> Registered in England and Wales No. 402570
>>
>> VAT Registration  GB 100 1464 84
>>
>>
>>
>> The contents of this e-mail are confidential and are solely for the use of
>> the intended recipient.  If you receive this e-mail in error, please
>> delete
>> it and notify us either by e-mail, telephone or fax.  You should not copy,
>> forward or otherwise disclose the content of the e-mail as this is
>> prohibited.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To mana

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

You shouldn’t be getting any prompting. I would kill for a UAC prompt :). 
Instead, I just get access denied.

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 5:28 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

You're right, I see it now.  I thought some of the permission prompting I was 
getting was just Explorer.exe being overprotective even when it had permission 
to change something - and I wasn't getting UAC prompts b/c I work with 
prompting disabled.

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 4:20 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Yeah, the cmd is elevated as demonstrated by your test, but explorer isn’t. 
Have you tried the exact scenario I described? Logged in as an admin and try to 
open a folder that has perms only to admin.

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 12:58 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Didn't finish the editing.

If the "x:" worked, then the explorer . should work (started out with a cd /d 
x: in the example, changed it to just x: at the last second).

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 1:49 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Open an elevated cmd prompt.
Type:  
x:  (substitute your drive letter for x:)
explorer .

If the cd /d worked, then the explorer . should also work and is now showing 
you the drive contents.
If the cd /d failed, then either your cmd prompt is not elevated or there are 
other issues with that drive.

Carl

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 12:32 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

I'm not seeing this at all. I’m logging into the machine as a member of the 
local administrators group, trying to access a drive that is permissioned with 
local admins and system full control. Nothing I've tried has let me access the 
drive through explorer, including setting the "launch folder...", using 
"explorer ." or "explorer /separate".

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Monday, February 21, 2011 9:37 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

No need to kill anything.  Just type "explorer ." from an elevated command 
prompt.  Putting a parameter on the command line is important.  You'll get a 
new process that's elevated, regardless of the "launch folder windows in 
separate process" setting.

Carl

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 9:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
&

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Carl Houseman]

You're right, I see it now.  I thought some of the permission prompting I was 
getting was just Explorer.exe being overprotective even when it had permission 
to change something - and I wasn't getting UAC prompts b/c I work with 
prompting disabled.

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 4:20 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Yeah, the cmd is elevated as demonstrated by your test, but explorer isn’t. 
Have you tried the exact scenario I described? Logged in as an admin and try to 
open a folder that has perms only to admin.

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 12:58 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Didn't finish the editing.

If the "x:" worked, then the explorer . should work (started out with a cd /d 
x: in the example, changed it to just x: at the last second).

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 1:49 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Open an elevated cmd prompt.
Type:  
x:  (substitute your drive letter for x:)
explorer .

If the cd /d worked, then the explorer . should also work and is now showing 
you the drive contents.
If the cd /d failed, then either your cmd prompt is not elevated or there are 
other issues with that drive.

Carl

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 12:32 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

I'm not seeing this at all. I’m logging into the machine as a member of the 
local administrators group, trying to access a drive that is permissioned with 
local admins and system full control. Nothing I've tried has let me access the 
drive through explorer, including setting the "launch folder...", using 
"explorer ." or "explorer /separate".

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Monday, February 21, 2011 9:37 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

No need to kill anything.  Just type "explorer ." from an elevated command 
prompt.  Putting a parameter on the command line is important.  You'll get a 
new process that's elevated, regardless of the "launch folder windows in 
separate process" setting.

Carl

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 9:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> You can’t actually do a run-as for Windows Explorer. There is only a
>> single
>> process per login, so the run-as doesn’t work as expected.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith
>>
>> Consultant and Exchange 

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

Yeah, the cmd is elevated as demonstrated by your test, but explorer isn’t. 
Have you tried the exact scenario I described? Logged in as an admin and try to 
open a folder that has perms only to admin.

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 12:58 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Didn't finish the editing.

If the "x:" worked, then the explorer . should work (started out with a cd /d 
x: in the example, changed it to just x: at the last second).

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 1:49 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Open an elevated cmd prompt.
Type:  
x:  (substitute your drive letter for x:)
explorer .

If the cd /d worked, then the explorer . should also work and is now showing 
you the drive contents.
If the cd /d failed, then either your cmd prompt is not elevated or there are 
other issues with that drive.

Carl

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 12:32 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

I'm not seeing this at all. I’m logging into the machine as a member of the 
local administrators group, trying to access a drive that is permissioned with 
local admins and system full control. Nothing I've tried has let me access the 
drive through explorer, including setting the "launch folder...", using 
"explorer ." or "explorer /separate".

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Monday, February 21, 2011 9:37 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

No need to kill anything.  Just type "explorer ." from an elevated command 
prompt.  Putting a parameter on the command line is important.  You'll get a 
new process that's elevated, regardless of the "launch folder windows in 
separate process" setting.

Carl

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 9:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> You can’t actually do a run-as for Windows Explorer. There is only a
>> single
>> process per login, so the run-as doesn’t work as expected.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith
>>
>> Consultant and Exchange MVP
>>
>> http://TheEssentialExchange.com
>>
>>
>>
>> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
>> Sent: Monday, February 21, 2011 8:26 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not consciously no – should it be just to access a hard drive?  I did try
>> running Windows Explorer with “Run as Administrato

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Carl Houseman]

Didn't finish the editing.

If the "x:" worked, then the explorer . should work (started out with a cd /d 
x: in the example, changed it to just x: at the last second).

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, February 22, 2011 1:49 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Open an elevated cmd prompt.
Type:  
x:  (substitute your drive letter for x:)
explorer .

If the cd /d worked, then the explorer . should also work and is now showing 
you the drive contents.
If the cd /d failed, then either your cmd prompt is not elevated or there are 
other issues with that drive.

Carl

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 12:32 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

I'm not seeing this at all. I’m logging into the machine as a member of the 
local administrators group, trying to access a drive that is permissioned with 
local admins and system full control. Nothing I've tried has let me access the 
drive through explorer, including setting the "launch folder...", using 
"explorer ." or "explorer /separate".

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Monday, February 21, 2011 9:37 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

No need to kill anything.  Just type "explorer ." from an elevated command 
prompt.  Putting a parameter on the command line is important.  You'll get a 
new process that's elevated, regardless of the "launch folder windows in 
separate process" setting.

Carl

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 9:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> You can’t actually do a run-as for Windows Explorer. There is only a
>> single
>> process per login, so the run-as doesn’t work as expected.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith
>>
>> Consultant and Exchange MVP
>>
>> http://TheEssentialExchange.com
>>
>>
>>
>> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
>> Sent: Monday, February 21, 2011 8:26 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not consciously no – should it be just to access a hard drive?  I did try
>> running Windows Explorer with “Run as Administrator” and I still got
>> access
>> denied.
>>
>> From: James Rankin [mailto:kz2...@googlemail.com]
>> Sent: 21 February 2011 13:24
>> To: NT System Admin Issues
>> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> UAC turned off?
>>
>> On 21 February 2011 13:19, Paul Hutchings 
>> wrote:
>>
>> Just sta

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Carl Houseman]

Open an elevated cmd prompt.
Type:  
x:  (substitute your drive letter for x:)
explorer .

If the cd /d worked, then the explorer . should also work and is now showing 
you the drive contents.
If the cd /d failed, then either your cmd prompt is not elevated or there are 
other issues with that drive.

Carl

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, February 22, 2011 12:32 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

I'm not seeing this at all. I’m logging into the machine as a member of the 
local administrators group, trying to access a drive that is permissioned with 
local admins and system full control. Nothing I've tried has let me access the 
drive through explorer, including setting the "launch folder...", using 
"explorer ." or "explorer /separate".

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Monday, February 21, 2011 9:37 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

No need to kill anything.  Just type "explorer ." from an elevated command 
prompt.  Putting a parameter on the command line is important.  You'll get a 
new process that's elevated, regardless of the "launch folder windows in 
separate process" setting.

Carl

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 9:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> You can’t actually do a run-as for Windows Explorer. There is only a
>> single
>> process per login, so the run-as doesn’t work as expected.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith
>>
>> Consultant and Exchange MVP
>>
>> http://TheEssentialExchange.com
>>
>>
>>
>> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
>> Sent: Monday, February 21, 2011 8:26 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not consciously no – should it be just to access a hard drive?  I did try
>> running Windows Explorer with “Run as Administrator” and I still got
>> access
>> denied.
>>
>> From: James Rankin [mailto:kz2...@googlemail.com]
>> Sent: 21 February 2011 13:24
>> To: NT System Admin Issues
>> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> UAC turned off?
>>
>> On 21 February 2011 13:19, Paul Hutchings 
>> wrote:
>>
>> Just starting to roll out some 2008 R2 based VM's.
>>
>> I've created a couple of new partitions on one of them, and thought I'd
>> lock
>> the permissions down to the local Administrators group and SYSTEM, but I'm
>> finding that logged onto the server console with an account that clearly
>> is
>> in the local Administrators group I can't a

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

I'm not seeing this at all. I’m logging into the machine as a member of the 
local administrators group, trying to access a drive that is permissioned with 
local admins and system full control. Nothing I've tried has let me access the 
drive through explorer, including setting the "launch folder...", using 
"explorer ." or "explorer /separate".

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Monday, February 21, 2011 9:37 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

No need to kill anything.  Just type "explorer ." from an elevated command 
prompt.  Putting a parameter on the command line is important.  You'll get a 
new process that's elevated, regardless of the "launch folder windows in 
separate process" setting.

Carl

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 9:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> You can’t actually do a run-as for Windows Explorer. There is only a
>> single
>> process per login, so the run-as doesn’t work as expected.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith
>>
>> Consultant and Exchange MVP
>>
>> http://TheEssentialExchange.com
>>
>>
>>
>> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
>> Sent: Monday, February 21, 2011 8:26 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not consciously no – should it be just to access a hard drive?  I did try
>> running Windows Explorer with “Run as Administrator” and I still got
>> access
>> denied.
>>
>> From: James Rankin [mailto:kz2...@googlemail.com]
>> Sent: 21 February 2011 13:24
>> To: NT System Admin Issues
>> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> UAC turned off?
>>
>> On 21 February 2011 13:19, Paul Hutchings 
>> wrote:
>>
>> Just starting to roll out some 2008 R2 based VM's.
>>
>> I've created a couple of new partitions on one of them, and thought I'd
>> lock
>> the permissions down to the local Administrators group and SYSTEM, but I'm
>> finding that logged onto the server console with an account that clearly
>> is
>> in the local Administrators group I can't access the root of the newly
>> created drives, I simply get "Access Denied".
>>
>> Of course because the account is in the Administrators group it can format
>> the drives and access them quite happily with the default permissions in
>> place.
>>
>>
>>
>> I suspect I’m missing something obvious but I’m not sure exactly what –
>> any
>> suggestions please?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>> __

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Carl Houseman]

No need to kill anything.  Just type "explorer ." from an elevated command 
prompt.  Putting a parameter on the command line is important.  You'll get a 
new process that's elevated, regardless of the "launch folder windows in 
separate process" setting.

Carl

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, February 21, 2011 9:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> You can’t actually do a run-as for Windows Explorer. There is only a
>> single
>> process per login, so the run-as doesn’t work as expected.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith
>>
>> Consultant and Exchange MVP
>>
>> http://TheEssentialExchange.com
>>
>>
>>
>> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
>> Sent: Monday, February 21, 2011 8:26 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not consciously no – should it be just to access a hard drive?  I did try
>> running Windows Explorer with “Run as Administrator” and I still got
>> access
>> denied.
>>
>> From: James Rankin [mailto:kz2...@googlemail.com]
>> Sent: 21 February 2011 13:24
>> To: NT System Admin Issues
>> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> UAC turned off?
>>
>> On 21 February 2011 13:19, Paul Hutchings 
>> wrote:
>>
>> Just starting to roll out some 2008 R2 based VM's.
>>
>> I've created a couple of new partitions on one of them, and thought I'd
>> lock
>> the permissions down to the local Administrators group and SYSTEM, but I'm
>> finding that logged onto the server console with an account that clearly
>> is
>> in the local Administrators group I can't access the root of the newly
>> created drives, I simply get "Access Denied".
>>
>> Of course because the account is in the Administrators group it can format
>> the drives and access them quite happily with the default permissions in
>> place.
>>
>>
>>
>> I suspect I’m missing something obvious but I’m not sure exactly what –
>> any
>> suggestions please?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>> 
>>
>> MIRA Ltd
>>
>>
>>
>> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
>>
>> Registered in England and Wales No. 402570
>>
>> VAT Registration  GB 100 1464 84
>>
>>
>>
>> The contents of this e-mail are confidential and are solely for the use of
>> the intended recipient.  If you receive this e-mail in error, please
>> delete
>> it and notify us either by e-mail, telephone or fax.  You should not copy,
>> forward or otherwise disclose the content of the e-mail as this is

Re: Windows 2008 R2 - Default NTFS Permissions on new drive

[Kurt Buff]

Just kill explorer once - as soon as you log in. :)

On Mon, Feb 21, 2011 at 18:17, Crawford, Scott  wrote:
> Yeah, that definitely works, but killing explorer every time you want to
> switch contexts gets tedious. You can kill it with task manager too for the
> same effect.
>
>
>
> Sent from my Palm Pre on the Now Network from Sprint
> 
> On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:
>
> Hmmm...
>
> If that's all true, then doing 'pskill explorer' from an elevated cmd
> prompt and a runas script should do the trick as well, I would think.
>
> Kurt
>
> On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
>> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
>> Sent: Monday, February 21, 2011 1:24 PM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not quite.  You can create a separate process with “explorer /separate”.
>> This works great in XP with runas for creating an explorer window under a
>> different security context.  It still works in Vista/7/2K8 to create a
>> separate process, but it still gets created without admin group in the
>> token.
>>
>>
>>
>> From: Michael B. Smith [mailto:mich...@smithcons.com]
>> Sent: Monday, February 21, 2011 7:36 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> You can’t actually do a run-as for Windows Explorer. There is only a
>> single
>> process per login, so the run-as doesn’t work as expected.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith
>>
>> Consultant and Exchange MVP
>>
>> http://TheEssentialExchange.com
>>
>>
>>
>> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
>> Sent: Monday, February 21, 2011 8:26 AM
>> To: NT System Admin Issues
>> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> Not consciously no – should it be just to access a hard drive?  I did try
>> running Windows Explorer with “Run as Administrator” and I still got
>> access
>> denied.
>>
>> From: James Rankin [mailto:kz2...@googlemail.com]
>> Sent: 21 February 2011 13:24
>> To: NT System Admin Issues
>> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>>
>>
>>
>> UAC turned off?
>>
>> On 21 February 2011 13:19, Paul Hutchings 
>> wrote:
>>
>> Just starting to roll out some 2008 R2 based VM's.
>>
>> I've created a couple of new partitions on one of them, and thought I'd
>> lock
>> the permissions down to the local Administrators group and SYSTEM, but I'm
>> finding that logged onto the server console with an account that clearly
>> is
>> in the local Administrators group I can't access the root of the newly
>> created drives, I simply get "Access Denied".
>>
>> Of course because the account is in the Administrators group it can format
>> the drives and access them quite happily with the default permissions in
>> place.
>>
>>
>>
>> I suspect I’m missing something obvious but I’m not sure exactly what –
>> any
>> suggestions please?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>> 
>>
>> MIRA Ltd
>>
>>
>>
>> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
>>
>> Registered in England and Wales No. 402570
>>
>> VAT Registration  GB 100 1464 84
>>
>>
>>
>> The contents of this e-mail are confidential and are solely for the use of
>> the intended recipient.  If you receive this e-mail in error, please
>> delete
>> it and notify us either by e-mail, telephone or fax.  You should not copy,
>> forward or otherwise disclose the content of the e-mail as this is
>> prohibited.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>>
>> --
>> "On two occasions...I hav

Re: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

Yeah, that definitely works, but killing explorer every time you want to switch 
contexts gets tedious. You can kill it with task manager too for the same 
effect.



Sent from my Palm Pre on the Now Network from Sprint


On Feb 21, 2011 6:53 PM, Kurt Buff  wrote:

Hmmm...

If that's all true, then doing 'pskill explorer' from an elevated cmd
prompt and a runas script should do the trick as well, I would think.

Kurt

On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>
>
>
> Carl
>
>
>
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, February 21, 2011 1:24 PM
> To: NT System Admin Issues
> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> Not quite.  You can create a separate process with “explorer /separate”.
> This works great in XP with runas for creating an explorer window under a
> different security context.  It still works in Vista/7/2K8 to create a
> separate process, but it still gets created without admin group in the
> token.
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Monday, February 21, 2011 7:36 AM
> To: NT System Admin Issues
> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> You can’t actually do a run-as for Windows Explorer. There is only a single
> process per login, so the run-as doesn’t work as expected.
>
>
>
> Regards,
>
>
>
> Michael B. Smith
>
> Consultant and Exchange MVP
>
> http://TheEssentialExchange.com
>
>
>
> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
> Sent: Monday, February 21, 2011 8:26 AM
> To: NT System Admin Issues
> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> Not consciously no – should it be just to access a hard drive?  I did try
> running Windows Explorer with “Run as Administrator” and I still got access
> denied.
>
> From: James Rankin [mailto:kz2...@googlemail.com]
> Sent: 21 February 2011 13:24
> To: NT System Admin Issues
> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> UAC turned off?
>
> On 21 February 2011 13:19, Paul Hutchings  wrote:
>
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd lock
> the permissions down to the local Administrators group and SYSTEM, but I'm
> finding that logged onto the server console with an account that clearly is
> in the local Administrators group I can't access the root of the newly
> created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can format
> the drives and access them quite happily with the default permissions in
> place.
>
>
>
> I suspect I’m missing something obvious but I’m not sure exactly what – any
> suggestions please?
>
>
>
> Thanks,
>
> Paul
>
> 
>
> MIRA Ltd
>
>
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
>
> Registered in England and Wales No. 402570
>
> VAT Registration  GB 100 1464 84
>
>
>
> The contents of this e-mail are confidential and are solely for the use of
> the intended recipient.  If you receive this e-mail in error, please delete
> it and notify us either by e-mail, telephone or fax.  You should not copy,
> forward or otherwise disclose the content of the e-mail as this is
> prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> IMPORTANT: This email is intended for the use of the individual addressee(s)
> named above and may contain information that is confidential, privileged or
> unsuitable for overly sensitive persons with low self-esteem, no sense of
> humour or irrational religious beliefs. If you are not the intended
> recipient, any dissemination, distribution or copying of this email is not
> authorised (either explicitly or implicitly) and constitutes an irritating
> social faux pas.
&g

Re: Windows 2008 R2 - Default NTFS Permissions on new drive

[Kurt Buff]

Hmmm...

If that's all true, then doing 'pskill explorer' from an elevated cmd
prompt and a runas script should do the trick as well, I would think.

Kurt

On Mon, Feb 21, 2011 at 15:36, Carl Houseman  wrote:
> http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html
>
>
>
> Carl
>
>
>
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, February 21, 2011 1:24 PM
> To: NT System Admin Issues
> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> Not quite.  You can create a separate process with “explorer /separate”.
> This works great in XP with runas for creating an explorer window under a
> different security context.  It still works in Vista/7/2K8 to create a
> separate process, but it still gets created without admin group in the
> token.
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Monday, February 21, 2011 7:36 AM
> To: NT System Admin Issues
> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> You can’t actually do a run-as for Windows Explorer. There is only a single
> process per login, so the run-as doesn’t work as expected.
>
>
>
> Regards,
>
>
>
> Michael B. Smith
>
> Consultant and Exchange MVP
>
> http://TheEssentialExchange.com
>
>
>
> From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
> Sent: Monday, February 21, 2011 8:26 AM
> To: NT System Admin Issues
> Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> Not consciously no – should it be just to access a hard drive?  I did try
> running Windows Explorer with “Run as Administrator” and I still got access
> denied.
>
> From: James Rankin [mailto:kz2...@googlemail.com]
> Sent: 21 February 2011 13:24
> To: NT System Admin Issues
> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> UAC turned off?
>
> On 21 February 2011 13:19, Paul Hutchings  wrote:
>
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd lock
> the permissions down to the local Administrators group and SYSTEM, but I'm
> finding that logged onto the server console with an account that clearly is
> in the local Administrators group I can't access the root of the newly
> created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can format
> the drives and access them quite happily with the default permissions in
> place.
>
>
>
> I suspect I’m missing something obvious but I’m not sure exactly what – any
> suggestions please?
>
>
>
> Thanks,
>
> Paul
>
> 
>
> MIRA Ltd
>
>
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
>
> Registered in England and Wales No. 402570
>
> VAT Registration  GB 100 1464 84
>
>
>
> The contents of this e-mail are confidential and are solely for the use of
> the intended recipient.  If you receive this e-mail in error, please delete
> it and notify us either by e-mail, telephone or fax.  You should not copy,
> forward or otherwise disclose the content of the e-mail as this is
> prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> IMPORTANT: This email is intended for the use of the individual addressee(s)
> named above and may contain information that is confidential, privileged or
> unsuitable for overly sensitive persons with low self-esteem, no sense of
> humour or irrational religious beliefs. If you are not the intended
> recipient, any dissemination, distribution or copying of this email is not
> authorised (either explicitly or implicitly) and constitutes an irritating
> social faux pas.
>
> Unless the word absquatulation has been used in its correct context
> somewhere other than in this warning, it does not have any legal or no
> grammatical use and may be ignored. No animals were harmed in the
> transmission of this email, although the kelpie next door is living on
&

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Carl Houseman]

http://vistavitals.blogspot.com/2008/06/uac-elevate-windows-explorer.html

 

Carl

 

From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, February 21, 2011 1:24 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

 

Not quite.  You can create a separate process with "explorer /separate".
This works great in XP with runas for creating an explorer window under a
different security context.  It still works in Vista/7/2K8 to create a
separate process, but it still gets created without admin group in the
token.

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Monday, February 21, 2011 7:36 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

 

You can't actually do a run-as for Windows Explorer. There is only a single
process per login, so the run-as doesn't work as expected.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] 
Sent: Monday, February 21, 2011 8:26 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

 

Not consciously no - should it be just to access a hard drive?  I did try
running Windows Explorer with "Run as Administrator" and I still got access
denied.

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: 21 February 2011 13:24
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

 

UAC turned off?

On 21 February 2011 13:19, Paul Hutchings  wrote:

Just starting to roll out some 2008 R2 based VM's.

I've created a couple of new partitions on one of them, and thought I'd lock
the permissions down to the local Administrators group and SYSTEM, but I'm
finding that logged onto the server console with an account that clearly is
in the local Administrators group I can't access the root of the newly
created drives, I simply get "Access Denied".

Of course because the account is in the Administrators group it can format
the drives and access them quite happily with the default permissions in
place.

 

I suspect I'm missing something obvious but I'm not sure exactly what - any
suggestions please?

 

Thanks,

Paul

  _  

MIRA Ltd

 

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England

Registered in England and Wales No. 402570

VAT Registration  GB 100 1464 84

 

The contents of this e-mail are confidential and are solely for the use of
the intended recipient.  If you receive this e-mail in error, please delete
it and notify us either by e-mail, telephone or fax.  You should not copy,
forward or otherwise disclose the content of the e-mail as this is
prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

IMPORTANT: This email is intended for the use of the individual addressee(s)
named above and may contain information that is confidential, privileged or
unsuitable for overly sensitive persons with low self-esteem, no sense of
humour or irrational religious beliefs. If you are not the intended
recipient, any dissemination, distribution or copying of this email is not
authorised (either explicitly or implicitly) and constitutes an irritating
social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsy

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

Yeah, I've started noticing that as well.  I'm not too concerned with its 
features beyond the ability to help get around UAC. If it accomplishes that for 
me, it's served its purpose.  I'm heavily considering turning off UAC on my 
servers for this very reason, but I'd like to keep it if possible.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Monday, February 21, 2011 4:54 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

I tried explorer++ for awhile, and I like its capabilities - but it's too slow 
to load. Explorer pops right up - subsecond. Explorer++ takes a couple of 
second - and I hate that. :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, February 21, 2011 3:28 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Yeah, UAC and Explorer is a major pain. It's basically completely broken. Just 
like the OP, I have drives permissioned with only Administrators:F and 
System:F. When opening that drive, one would expect to get a UAC prompt, but 
none is to be found.

I recently came across
http://blogs.technet.com/b/elevationpowertoys/archive/2009/11/20/explore-as-administrator-powertoy.aspx

which mentions using http://explorerplusplus.com/ which will run elevated. So 
far, I like it quite a bit, but I'm not a huge fan of adding another app to my 
environment, so I'd prefer a native solution. One somewhat klunky option is to 
use the Open File dialog box in an elevated notepad session.

Ideally, I'd like to find out how to use the Open File dialog from an elevated 
command line.

I too am a huge fan of the CLI, but sometimes the GUI is just easier.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Monday, February 21, 2011 7:35 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Completely about UAC.

Disable UAC or use the File Server / Shares MMCs (elevated, of course) instead 
of Windows Explorer.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, February 21, 2011 8:33 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive


How are you creating these VMs?  This doesn't sound like normal behavior...

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
mailto:paul.hutchi...@mira.co.uk>> wrote:
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd
> lock the permissions down to the local Administrators group and SYSTEM,
> but I'm finding that logged onto the server console with an account that
> clearly is in the local Administrators group I can't access the root of
> the newly created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can
> format the drives and access them quite happily with the default
> permissions in place.
>
>
>
> I suspect I'm missing something obvious but I'm not sure exactly what -
> any suggestions please?
>
>
>
> Thanks,
>
> Paul
>
>
> --
> MIRA Ltd
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration GB 100 1464 84
>
> The contents of this e-mail are confidential and are solely for the use of 
> the intended recipient. If you receive this e-mail in error, please delete it 
> and notify us either by e-mail, telephone or fax. You should not copy, 
> forward or otherwise disclose the content of the e-mail as this is prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to 
> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

--

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Michael B. Smith]

I tried explorer++ for awhile, and I like its capabilities - but it's too slow 
to load. Explorer pops right up - subsecond. Explorer++ takes a couple of 
second - and I hate that. :-P

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, February 21, 2011 3:28 PM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Yeah, UAC and Explorer is a major pain. It's basically completely broken. Just 
like the OP, I have drives permissioned with only Administrators:F and 
System:F. When opening that drive, one would expect to get a UAC prompt, but 
none is to be found.

I recently came across
http://blogs.technet.com/b/elevationpowertoys/archive/2009/11/20/explore-as-administrator-powertoy.aspx

which mentions using http://explorerplusplus.com/ which will run elevated. So 
far, I like it quite a bit, but I'm not a huge fan of adding another app to my 
environment, so I'd prefer a native solution. One somewhat klunky option is to 
use the Open File dialog box in an elevated notepad session.

Ideally, I'd like to find out how to use the Open File dialog from an elevated 
command line.

I too am a huge fan of the CLI, but sometimes the GUI is just easier.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Monday, February 21, 2011 7:35 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Completely about UAC.

Disable UAC or use the File Server / Shares MMCs (elevated, of course) instead 
of Windows Explorer.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, February 21, 2011 8:33 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive


How are you creating these VMs?  This doesn't sound like normal behavior...

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
mailto:paul.hutchi...@mira.co.uk>> wrote:
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd
> lock the permissions down to the local Administrators group and SYSTEM,
> but I'm finding that logged onto the server console with an account that
> clearly is in the local Administrators group I can't access the root of
> the newly created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can
> format the drives and access them quite happily with the default
> permissions in place.
>
>
>
> I suspect I'm missing something obvious but I'm not sure exactly what -
> any suggestions please?
>
>
>
> Thanks,
>
> Paul
>
>
> --
> MIRA Ltd
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration GB 100 1464 84
>
> The contents of this e-mail are confidential and are solely for the use of 
> the intended recipient. If you receive this e-mail in error, please delete it 
> and notify us either by e-mail, telephone or fax. You should not copy, 
> forward or otherwise disclose the content of the e-mail as this is prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to 
> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoft

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

Yeah, UAC and Explorer is a major pain. It's basically completely broken. Just 
like the OP, I have drives permissioned with only Administrators:F and 
System:F. When opening that drive, one would expect to get a UAC prompt, but 
none is to be found.

I recently came across
http://blogs.technet.com/b/elevationpowertoys/archive/2009/11/20/explore-as-administrator-powertoy.aspx

which mentions using http://explorerplusplus.com/ which will run elevated. So 
far, I like it quite a bit, but I'm not a huge fan of adding another app to my 
environment, so I'd prefer a native solution. One somewhat klunky option is to 
use the Open File dialog box in an elevated notepad session.

Ideally, I'd like to find out how to use the Open File dialog from an elevated 
command line.

I too am a huge fan of the CLI, but sometimes the GUI is just easier.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Monday, February 21, 2011 7:35 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Completely about UAC.

Disable UAC or use the File Server / Shares MMCs (elevated, of course) instead 
of Windows Explorer.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, February 21, 2011 8:33 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive


How are you creating these VMs?  This doesn't sound like normal behavior...

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
mailto:paul.hutchi...@mira.co.uk>> wrote:
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd
> lock the permissions down to the local Administrators group and SYSTEM,
> but I'm finding that logged onto the server console with an account that
> clearly is in the local Administrators group I can't access the root of
> the newly created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can
> format the drives and access them quite happily with the default
> permissions in place.
>
>
>
> I suspect I'm missing something obvious but I'm not sure exactly what -
> any suggestions please?
>
>
>
> Thanks,
>
> Paul
>
>
> --
> MIRA Ltd
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration GB 100 1464 84
>
> The contents of this e-mail are confidential and are solely for the use of 
> the intended recipient. If you receive this e-mail in error, please delete it 
> and notify us either by e-mail, telephone or fax. You should not copy, 
> forward or otherwise disclose the content of the e-mail as this is prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to 
> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Windows 2008 R2 - Default NTFS Permissions on new drive

[Andrew S. Baker]

I've never really left the CLI, but I do need to do more powershell.

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
 On Feb 21, 2011 10:57 AM, "James Rankin"  wrote:
> I used to do most everything from the command linethen GUI became all
> the rageand now MS are trying to convert us all back via PowerShell.
> It's high time I grasped the nettle and went fully PSI spend too much
> time loading up old utilities from the NT4 ResKit just to do my day-to-day
> tasks :-)
>
> On 21 February 2011 15:53, Andrew S. Baker  wrote:
>
>> Yes, we most certainly are. I'm still trying to work on many members of
my
>> team at %work%
>>
>> -ASB: http://about.me/Andrew.S.Baker
>>
>> Sent from my Motorola Droid
>> On Feb 21, 2011 8:44 AM, "Michael B. Smith" 
>> wrote:
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke
such
> a question."
>
> *IMPORTANT: This email is intended for the use of the individual
> addressee(s) named above and may contain information that is confidential,
> privileged or unsuitable for overly sensitive persons with low
self-esteem,
> no sense of humour or irrational religious beliefs. If you are not the
> intended recipient, any dissemination, distribution or copying of this
email
> is not authorised (either explicitly or implicitly) and constitutes an
> irritating social faux pas.
>
> Unless the word absquatulation has been used in its correct context
> somewhere other than in this warning, it does not have any legal or no
> grammatical use and may be ignored. No animals were harmed in the
> transmission of this email, although the kelpie next door is living on
> borrowed time, let me tell you. Those of you with an overwhelming fear of
> the unknown will be gratified to learn that there is no hidden message
> revealed by reading this warning backwards, so just ignore that Alert
Notice
> from Microsoft.
>
> However, by pouring a complete circle of salt around yourself and your
> computer you can ensure that no harm befalls you and your pets. If you
have
> received this email in error, please add some nutmeg and egg whites, whisk
> and place in a warm oven for 40 minutes.*
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~  ~
>
> ---
> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

Not quite.  You can create a separate process with "explorer /separate". This 
works great in XP with runas for creating an explorer window under a different 
security context.  It still works in Vista/7/2K8 to create a separate process, 
but it still gets created without admin group in the token.

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Monday, February 21, 2011 7:36 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

You can't actually do a run-as for Windows Explorer. There is only a single 
process per login, so the run-as doesn't work as expected.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
Sent: Monday, February 21, 2011 8:26 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Not consciously no - should it be just to access a hard drive?  I did try 
running Windows Explorer with "Run as Administrator" and I still got access 
denied.
From: James Rankin [mailto:kz2...@googlemail.com]
Sent: 21 February 2011 13:24
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

UAC turned off?
On 21 February 2011 13:19, Paul Hutchings 
mailto:paul.hutchi...@mira.co.uk>> wrote:
Just starting to roll out some 2008 R2 based VM's.

I've created a couple of new partitions on one of them, and thought I'd lock 
the permissions down to the local Administrators group and SYSTEM, but I'm 
finding that logged onto the server console with an account that clearly is in 
the local Administrators group I can't access the root of the newly created 
drives, I simply get "Access Denied".

Of course because the account is in the Administrators group it can format the 
drives and access them quite happily with the default permissions in place.

I suspect I'm missing something obvious but I'm not sure exactly what - any 
suggestions please?

Thanks,
Paul

MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
Registered in England and Wales No. 402570
VAT Registration  GB 100 1464 84

The contents of this e-mail are confidential and are solely for the use of the 
intended recipient.  If you receive this e-mail in error, please delete it and 
notify us either by e-mail, telephone or fax.  You should not copy, forward or 
otherwise disclose the content of the e-mail as this is prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

IMPORTANT: This email is intended for the use of the individual addressee(s) 
named above and may contain information that is confidential, privileged or 
unsuitable for overly sensitive persons with low self-esteem, no sense of 
humour or irrational religious beliefs. If you are not the intended recipient, 
any dissemination, distribution or copying of this email is not authorised 
(either explicitly or implicitly) and constitutes an irritating social faux pas.

Unless the word absquatulation has been used in its correct context somewhere 
other than in this warning, it does not have any legal or no grammatical use 
and may be ignored. No animals were harmed in the transmission of this email, 
although the kelpie next door is living on borrowed time, let me tell you. 
Those of you with an overwhelming fear of the unknown will be gratified to 
learn that there is no hidden message revealed by reading this warning 
backwards, so just ignore that Alert Notice from Microsoft.

However, by pouring a complete circle of salt around yourself and your computer 
you can ensure that no harm befalls you and your pets. If you have received 
this email in error, please add some nutmeg and egg whites, whisk and place in 
a warm oven for 40 minutes.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/

RE: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Michael B. Smith]

Geeks.

:-)

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Crawford, Scott [crawfo...@evangel.edu]
Sent: Monday, February 21, 2011 12:03 PM
To: NT System Admin Issues
Subject: RE: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

It’s also originally a function of the command line, the unfamiliarity of 
which, was under discussion…that’s why it’s funny. :)

Sorry, I shoulda added a smiley last time

From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Monday, February 21, 2011 11:00 AM
To: NT System Admin Issues
Subject: Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Expandable environment variable reference - basically it is populated with 
whatever your current job is
On 21 February 2011 16:57, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
I’m not familiar with %work%. Why do you surround it with percent signs?

From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>]
Sent: Monday, February 21, 2011 9:54 AM

To: NT System Admin Issues
Subject: Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive


Yes, we most certainly are.  I'm still trying to work on many members of my 
team at %work%

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:44 AM, "Michael B. Smith" 
mailto:mich...@smithcons.com>> wrote:

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

IMPORTANT: This email is intended for the use of the individual addressee(s) 
named above and may contain information that is confidential, privileged or 
unsuitable for overly sensitive persons with low self-esteem, no sense of 
humour or irrational religious beliefs. If you are not the intended recipient, 
any dissemination, distribution or copying of this email is not authorised 
(either explicitly or implicitly) and constitutes an irritating social faux pas.

Unless the word absquatulation has been used in its correct context somewhere 
other than in this warning, it does not have any legal or no grammatical use 
and may be ignored. No animals were harmed in the transmission of this email, 
although the kelpie next door is living on borrowed time, let me tell you. 
Those of you with an overwhelming fear of the unknown will be gratified to 
learn that there is no hidden message revealed by reading this warning 
backwards, so just ignore that Alert Notice from Microsoft.

However, by pouring a complete circle of salt around yourself and your computer 
you can ensure that no harm befalls you and your pets. If you have received 
this email in error, please add some nutmeg and egg whites, whisk and place in 
a warm oven for 40 minutes.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

It's also originally a function of the command line, the unfamiliarity of 
which, was under discussion...that's why it's funny. :)

Sorry, I shoulda added a smiley last time

From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Monday, February 21, 2011 11:00 AM
To: NT System Admin Issues
Subject: Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Expandable environment variable reference - basically it is populated with 
whatever your current job is
On 21 February 2011 16:57, Crawford, Scott 
mailto:crawfo...@evangel.edu>> wrote:
I'm not familiar with %work%. Why do you surround it with percent signs?

From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>]
Sent: Monday, February 21, 2011 9:54 AM

To: NT System Admin Issues
Subject: Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive


Yes, we most certainly are.  I'm still trying to work on many members of my 
team at %work%

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:44 AM, "Michael B. Smith" 
mailto:mich...@smithcons.com>> wrote:

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

IMPORTANT: This email is intended for the use of the individual addressee(s) 
named above and may contain information that is confidential, privileged or 
unsuitable for overly sensitive persons with low self-esteem, no sense of 
humour or irrational religious beliefs. If you are not the intended recipient, 
any dissemination, distribution or copying of this email is not authorised 
(either explicitly or implicitly) and constitutes an irritating social faux pas.

Unless the word absquatulation has been used in its correct context somewhere 
other than in this warning, it does not have any legal or no grammatical use 
and may be ignored. No animals were harmed in the transmission of this email, 
although the kelpie next door is living on borrowed time, let me tell you. 
Those of you with an overwhelming fear of the unknown will be gratified to 
learn that there is no hidden message revealed by reading this warning 
backwards, so just ignore that Alert Notice from Microsoft.

However, by pouring a complete circle of salt around yourself and your computer 
you can ensure that no harm befalls you and your pets. If you have received 
this email in error, please add some nutmeg and egg whites, whisk and place in 
a warm oven for 40 minutes.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[James Rankin]

Expandable environment variable reference - basically it is populated with
whatever your current job is

On 21 February 2011 16:57, Crawford, Scott  wrote:

>  I’m not familiar with %work%. Why do you surround it with percent signs?
>
>
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Monday, February 21, 2011 9:54 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new
> drive
>
>
>
> Yes, we most certainly are.  I'm still trying to work on many members of my
> team at %work%
>
> -ASB: http://about.me/Andrew.S.Baker
>
> Sent from my Motorola Droid
>
> On Feb 21, 2011 8:44 AM, "Michael B. Smith"  wrote:
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.*

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Crawford, Scott]

I'm not familiar with %work%. Why do you surround it with percent signs?

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, February 21, 2011 9:54 AM
To: NT System Admin Issues
Subject: Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive


Yes, we most certainly are.  I'm still trying to work on many members of my 
team at %work%

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:44 AM, "Michael B. Smith" 
mailto:mich...@smithcons.com>> wrote:

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Maglinger, Paul]

Because I administrate UNIX and Windows, PowerShell isn't too much of a 
stretch.  The only thing I wish for in command line is some consistency.

From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Monday, February 21, 2011 9:57 AM
To: NT System Admin Issues
Subject: Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

I used to do most everything from the command linethen GUI became all the 
rageand now MS are trying to convert us all back via PowerShell. It's high 
time I grasped the nettle and went fully PSI spend too much time loading up 
old utilities from the NT4 ResKit just to do my day-to-day tasks :-)
On 21 February 2011 15:53, Andrew S. Baker 
mailto:asbz...@gmail.com>> wrote:

Yes, we most certainly are.  I'm still trying to work on many members of my 
team at %work%

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:44 AM, "Michael B. Smith" 
mailto:mich...@smithcons.com>> wrote:

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

IMPORTANT: This email is intended for the use of the individual addressee(s) 
named above and may contain information that is confidential, privileged or 
unsuitable for overly sensitive persons with low self-esteem, no sense of 
humour or irrational religious beliefs. If you are not the intended recipient, 
any dissemination, distribution or copying of this email is not authorised 
(either explicitly or implicitly) and constitutes an irritating social faux pas.

Unless the word absquatulation has been used in its correct context somewhere 
other than in this warning, it does not have any legal or no grammatical use 
and may be ignored. No animals were harmed in the transmission of this email, 
although the kelpie next door is living on borrowed time, let me tell you. 
Those of you with an overwhelming fear of the unknown will be gratified to 
learn that there is no hidden message revealed by reading this warning 
backwards, so just ignore that Alert Notice from Microsoft.

However, by pouring a complete circle of salt around yourself and your computer 
you can ensure that no harm befalls you and your pets. If you have received 
this email in error, please add some nutmeg and egg whites, whisk and place in 
a warm oven for 40 minutes.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[James Rankin]

I used to do most everything from the command linethen GUI became all
the rageand now MS are trying to convert us all back via PowerShell.
It's high time I grasped the nettle and went fully PSI spend too much
time loading up old utilities from the NT4 ResKit just to do my day-to-day
tasks :-)

On 21 February 2011 15:53, Andrew S. Baker  wrote:

> Yes, we most certainly are.  I'm still trying to work on many members of my
> team at %work%
>
> -ASB: http://about.me/Andrew.S.Baker
>
> Sent from my Motorola Droid
>  On Feb 21, 2011 8:44 AM, "Michael B. Smith" 
> wrote:
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.*

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Andrew S. Baker]

Yes, we most certainly are.  I'm still trying to work on many members of my
team at %work%

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
 On Feb 21, 2011 8:44 AM, "Michael B. Smith"  wrote:

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[John Hornbuckle]

This isn't just you-I've run into the same thing with 2008 (I believe the 
behavior isn't limited just to R2).



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us<http://www.taylor.k12.fl.us>



From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
Sent: Monday, February 21, 2011 8:47 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

OK so disabling UAC lets me get at the data (though I could get at it from 
cmd.exe with UAC enabled).

At least now I have something to go on in trying to track down quite which 
setting it is that "protects" Administrators from accessing data to which they 
have access... grrr!
From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: 21 February 2011 13:35
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Completely about UAC.

Disable UAC or use the File Server / Shares MMCs (elevated, of course) instead 
of Windows Explorer.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, February 21, 2011 8:33 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive


How are you creating these VMs?  This doesn't sound like normal behavior...

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
mailto:paul.hutchi...@mira.co.uk>> wrote:
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd
> lock the permissions down to the local Administrators group and SYSTEM,
> but I'm finding that logged onto the server console with an account that
> clearly is in the local Administrators group I can't access the root of
> the newly created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can
> format the drives and access them quite happily with the default
> permissions in place.
>
>
>
> I suspect I'm missing something obvious but I'm not sure exactly what -
> any suggestions please?
>
>
>
> Thanks,
>
> Paul
>
>
> --
> MIRA Ltd
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration GB 100 1464 84
>
> The contents of this e-mail are confidential and are solely for the use of 
> the intended recipient. If you receive this e-mail in error, please delete it 
> and notify us either by e-mail, telephone or fax. You should not copy, 
> forward or otherwise disclose the content of the e-mail as this is prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to 
> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Paul Hutchings]

OK so disabling UAC lets me get at the data (though I could get at it
from cmd.exe with UAC enabled).

 

At least now I have something to go on in trying to track down quite
which setting it is that "protects" Administrators from accessing data
to which they have access... grrr!



From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: 21 February 2011 13:35
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

 

Completely about UAC.

 

Disable UAC or use the File Server / Shares MMCs (elevated, of course)
instead of Windows Explorer.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Monday, February 21, 2011 8:33 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

 

How are you creating these VMs?  This doesn't sound like normal
behavior...

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid

On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
wrote:
> Just starting to roll out some 2008 R2 based VM's.
> 
> I've created a couple of new partitions on one of them, and thought
I'd
> lock the permissions down to the local Administrators group and
SYSTEM,
> but I'm finding that logged onto the server console with an account
that
> clearly is in the local Administrators group I can't access the root
of
> the newly created drives, I simply get "Access Denied".
> 
> Of course because the account is in the Administrators group it can
> format the drives and access them quite happily with the default
> permissions in place.
> 
> 
> 
> I suspect I'm missing something obvious but I'm not sure exactly what
-
> any suggestions please?
> 
> 
> 
> Thanks,
> 
> Paul
> 
> 
> --
> MIRA Ltd
> 
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration GB 100 1464 84
> 
> The contents of this e-mail are confidential and are solely for the
use of the intended recipient. If you receive this e-mail in error,
please delete it and notify us either by e-mail, telephone or fax. You
should not copy, forward or otherwise disclose the content of the e-mail
as this is prohibited.
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
> 
> ---
> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Michael B. Smith]

Me too. But in that, I fear, we are still outliers.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, February 21, 2011 8:42 AM
To: NT System Admin Issues
Subject: Re: RE: Windows 2008 R2 - Default NTFS Permissions on new drive


I love me some CMD access.  :)

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:35 AM, "Michael B. Smith" 
mailto:mich...@smithcons.com>> wrote:
> Completely about UAC.
>
> Disable UAC or use the File Server / Shares MMCs (elevated, of course) 
> instead of Windows Explorer.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
> From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>]
> Sent: Monday, February 21, 2011 8:33 AM
> To: NT System Admin Issues
> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
> How are you creating these VMs? This doesn't sound like normal behavior...
>
> -ASB: http://about.me/Andrew.S.Baker
>
> Sent from my Motorola Droid
> On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
> mailto:paul.hutchi...@mira.co.uk><mailto:paul.hutchi...@mira.co.uk<mailto:paul.hutchi...@mira.co.uk>>>
>  wrote:
>> Just starting to roll out some 2008 R2 based VM's.
>>
>> I've created a couple of new partitions on one of them, and thought I'd
>> lock the permissions down to the local Administrators group and SYSTEM,
>> but I'm finding that logged onto the server console with an account that
>> clearly is in the local Administrators group I can't access the root of
>> the newly created drives, I simply get "Access Denied".
>>
>> Of course because the account is in the Administrators group it can
>> format the drives and access them quite happily with the default
>> permissions in place.
>>
>>
>>
>> I suspect I'm missing something obvious but I'm not sure exactly what -
>> any suggestions please?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>>
>> --
>> MIRA Ltd
>>
>> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
>> Registered in England and Wales No. 402570
>> VAT Registration GB 100 1464 84
>>
>> The contents of this e-mail are confidential and are solely for the use of 
>> the intended recipient. If you receive this e-mail in error, please delete 
>> it and notify us either by e-mail, telephone or fax. You should not copy, 
>> forward or otherwise disclose the content of the e-mail as this is 
>> prohibited.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here: 
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to 
>> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>>
>> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to 
> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com><mailto:listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>>
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to 
> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Andrew S. Baker]

I love me some CMD access.  :)

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
 On Feb 21, 2011 8:35 AM, "Michael B. Smith"  wrote:
> Completely about UAC.
>
> Disable UAC or use the File Server / Shares MMCs (elevated, of course)
instead of Windows Explorer.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
> From: Andrew S. Baker [mailto:asbz...@gmail.com]
> Sent: Monday, February 21, 2011 8:33 AM
> To: NT System Admin Issues
> Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
> How are you creating these VMs? This doesn't sound like normal behavior...
>
> -ASB: http://about.me/Andrew.S.Baker
>
> Sent from my Motorola Droid
> On Feb 21, 2011 8:20 AM, "Paul Hutchings" mailto:paul.hutchi...@mira.co.uk>> wrote:
>> Just starting to roll out some 2008 R2 based VM's.
>>
>> I've created a couple of new partitions on one of them, and thought I'd
>> lock the permissions down to the local Administrators group and SYSTEM,
>> but I'm finding that logged onto the server console with an account that
>> clearly is in the local Administrators group I can't access the root of
>> the newly created drives, I simply get "Access Denied".
>>
>> Of course because the account is in the Administrators group it can
>> format the drives and access them quite happily with the default
>> permissions in place.
>>
>>
>>
>> I suspect I'm missing something obvious but I'm not sure exactly what -
>> any suggestions please?
>>
>>
>>
>> Thanks,
>>
>> Paul
>>
>>
>> --
>> MIRA Ltd
>>
>> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
>> Registered in England and Wales No. 402570
>> VAT Registration GB 100 1464 84
>>
>> The contents of this e-mail are confidential and are solely for the use
of the intended recipient. If you receive this e-mail in error, please
delete it and notify us either by e-mail, telephone or fax. You should not
copy, forward or otherwise disclose the content of the e-mail as this is
prohibited.
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Paul Hutchings]

It's just a VM from a volume license 2008 R2 ISO download.  I'm just
going to try UAC now - it seems to be a console thing, I can do
\\server\e$   or whatever drive it may be with no
problem.

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: 21 February 2011 13:33
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

 

How are you creating these VMs?  This doesn't sound like normal
behavior...

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid

On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
wrote:
> Just starting to roll out some 2008 R2 based VM's.
> 
> I've created a couple of new partitions on one of them, and thought
I'd
> lock the permissions down to the local Administrators group and
SYSTEM,
> but I'm finding that logged onto the server console with an account
that
> clearly is in the local Administrators group I can't access the root
of
> the newly created drives, I simply get "Access Denied".
> 
> Of course because the account is in the Administrators group it can
> format the drives and access them quite happily with the default
> permissions in place.
> 
> 
> 
> I suspect I'm missing something obvious but I'm not sure exactly what
-
> any suggestions please?
> 
> 
> 
> Thanks,
> 
> Paul
> 
> 
> --
> MIRA Ltd
> 
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration GB 100 1464 84
> 
> The contents of this e-mail are confidential and are solely for the
use of the intended recipient. If you receive this e-mail in error,
please delete it and notify us either by e-mail, telephone or fax. You
should not copy, forward or otherwise disclose the content of the e-mail
as this is prohibited.
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
> 
> ---
> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Michael B. Smith]

You can't actually do a run-as for Windows Explorer. There is only a single 
process per login, so the run-as doesn't work as expected.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
Sent: Monday, February 21, 2011 8:26 AM
To: NT System Admin Issues
Subject: RE: Windows 2008 R2 - Default NTFS Permissions on new drive

Not consciously no - should it be just to access a hard drive?  I did try 
running Windows Explorer with "Run as Administrator" and I still got access 
denied.
From: James Rankin [mailto:kz2...@googlemail.com]
Sent: 21 February 2011 13:24
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

UAC turned off?
On 21 February 2011 13:19, Paul Hutchings 
mailto:paul.hutchi...@mira.co.uk>> wrote:
Just starting to roll out some 2008 R2 based VM's.

I've created a couple of new partitions on one of them, and thought I'd lock 
the permissions down to the local Administrators group and SYSTEM, but I'm 
finding that logged onto the server console with an account that clearly is in 
the local Administrators group I can't access the root of the newly created 
drives, I simply get "Access Denied".

Of course because the account is in the Administrators group it can format the 
drives and access them quite happily with the default permissions in place.

I suspect I'm missing something obvious but I'm not sure exactly what - any 
suggestions please?

Thanks,
Paul

MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
Registered in England and Wales No. 402570
VAT Registration  GB 100 1464 84

The contents of this e-mail are confidential and are solely for the use of the 
intended recipient.  If you receive this e-mail in error, please delete it and 
notify us either by e-mail, telephone or fax.  You should not copy, forward or 
otherwise disclose the content of the e-mail as this is prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin



--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."

IMPORTANT: This email is intended for the use of the individual addressee(s) 
named above and may contain information that is confidential, privileged or 
unsuitable for overly sensitive persons with low self-esteem, no sense of 
humour or irrational religious beliefs. If you are not the intended recipient, 
any dissemination, distribution or copying of this email is not authorised 
(either explicitly or implicitly) and constitutes an irritating social faux pas.

Unless the word absquatulation has been used in its correct context somewhere 
other than in this warning, it does not have any legal or no grammatical use 
and may be ignored. No animals were harmed in the transmission of this email, 
although the kelpie next door is living on borrowed time, let me tell you. 
Those of you with an overwhelming fear of the unknown will be gratified to 
learn that there is no hidden message revealed by reading this warning 
backwards, so just ignore that Alert Notice from Microsoft.

However, by pouring a complete circle of salt around yourself and your computer 
you can ensure that no harm befalls you and your pets. If you have received 
this email in error, please add some nutmeg and egg whites, whisk and place in 
a warm oven for 40 minutes.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Michael B. Smith]

Completely about UAC.

Disable UAC or use the File Server / Shares MMCs (elevated, of course) instead 
of Windows Explorer.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, February 21, 2011 8:33 AM
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive


How are you creating these VMs?  This doesn't sound like normal behavior...

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
mailto:paul.hutchi...@mira.co.uk>> wrote:
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd
> lock the permissions down to the local Administrators group and SYSTEM,
> but I'm finding that logged onto the server console with an account that
> clearly is in the local Administrators group I can't access the root of
> the newly created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can
> format the drives and access them quite happily with the default
> permissions in place.
>
>
>
> I suspect I'm missing something obvious but I'm not sure exactly what -
> any suggestions please?
>
>
>
> Thanks,
>
> Paul
>
>
> --
> MIRA Ltd
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration GB 100 1464 84
>
> The contents of this e-mail are confidential and are solely for the use of 
> the intended recipient. If you receive this e-mail in error, please delete it 
> and notify us either by e-mail, telephone or fax. You should not copy, 
> forward or otherwise disclose the content of the e-mail as this is prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to 
> listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Windows 2008 R2 - Default NTFS Permissions on new drive

[Andrew S. Baker]

How are you creating these VMs?  This doesn't sound like normal behavior...

-ASB: http://about.me/Andrew.S.Baker

Sent from my Motorola Droid
 On Feb 21, 2011 8:20 AM, "Paul Hutchings" 
wrote:
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd
> lock the permissions down to the local Administrators group and SYSTEM,
> but I'm finding that logged onto the server console with an account that
> clearly is in the local Administrators group I can't access the root of
> the newly created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can
> format the drives and access them quite happily with the default
> permissions in place.
>
>
>
> I suspect I'm missing something obvious but I'm not sure exactly what -
> any suggestions please?
>
>
>
> Thanks,
>
> Paul
>
>
> --
> MIRA Ltd
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration GB 100 1464 84
>
> The contents of this e-mail are confidential and are solely for the use of
the intended recipient. If you receive this e-mail in error, please delete
it and notify us either by e-mail, telephone or fax. You should not copy,
forward or otherwise disclose the content of the e-mail as this is
prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~  ~
>
> ---
> To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Windows 2008 R2 - Default NTFS Permissions on new drive

[James Rankin]

I often find there's some permissions funniness unless UAC is turned off by
GPO. You could maybe give that a bash.

Can you actually get into the security tab on the root of the drive and see
if it errors out there?

On 21 February 2011 13:25, Paul Hutchings  wrote:

> Not consciously no – should it be just to access a hard drive?  I did try
> running Windows Explorer with “Run as Administrator” and I still got access
> denied.
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* 21 February 2011 13:24
> *To:* NT System Admin Issues
> *Subject:* Re: Windows 2008 R2 - Default NTFS Permissions on new drive
>
>
>
> UAC turned off?
>
> On 21 February 2011 13:19, Paul Hutchings 
> wrote:
>
> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd
> lock the permissions down to the local Administrators group and SYSTEM, but
> I'm finding that logged onto the server console with an account that clearly
> is in the local Administrators group I can't access the root of the newly
> created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can format
> the drives and access them quite happily with the default permissions in
> place.
>
>
>
> I suspect I’m missing something obvious but I’m not sure exactly what – any
> suggestions please?
>
>
>
> Thanks,
>
> Paul
> --
>
> *MIRA Ltd*
>
>
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
>
> Registered in England and Wales No. 402570
>
> VAT Registration  GB 100 1464 84
>
>
>
> The contents of this e-mail are confidential and are solely for the use of
> the intended recipient.  If you receive this e-mail in error, please delete
> it and notify us either by e-mail, telephone or fax.  You should not copy,
> forward or otherwise disclose the content of the e-mail as this is
> prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> *IMPORTANT: This email is intended for the use of the individual
> addressee(s) named above and may contain information that is confidential,
> privileged or unsuitable for overly sensitive persons with low self-esteem,
> no sense of humour or irrational religious beliefs. If you are not the
> intended recipient, any dissemination, distribution or copying of this email
> is not authorised (either explicitly or implicitly) and constitutes an
> irritating social faux pas.
>
> Unless the word absquatulation has been used in its correct context
> somewhere other than in this warning, it does not have any legal or no
> grammatical use and may be ignored. No animals were harmed in the
> transmission of this email, although the kelpie next door is living on
> borrowed time, let me tell you. Those of you with an overwhelming fear of
> the unknown will be gratified to learn that there is no hidden message
> revealed by reading this warning backwards, so just ignore that Alert Notice
> from Microsoft.
>
> However, by pouring a complete circle of salt around yourself and your
> computer you can ensure that no harm befalls you and your pets. If you have
> received this email in error, please add some nutmeg and egg whites, whisk
> and place in a warm oven for 40 minutes.*
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babba

RE: Windows 2008 R2 - Default NTFS Permissions on new drive

[Paul Hutchings]

Not consciously no - should it be just to access a hard drive?  I did
try running Windows Explorer with "Run as Administrator" and I still got
access denied.



From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: 21 February 2011 13:24
To: NT System Admin Issues
Subject: Re: Windows 2008 R2 - Default NTFS Permissions on new drive

 

UAC turned off?

On 21 February 2011 13:19, Paul Hutchings 
wrote:

Just starting to roll out some 2008 R2 based VM's.

I've created a couple of new partitions on one of them, and thought I'd
lock the permissions down to the local Administrators group and SYSTEM,
but I'm finding that logged onto the server console with an account that
clearly is in the local Administrators group I can't access the root of
the newly created drives, I simply get "Access Denied".

Of course because the account is in the Administrators group it can
format the drives and access them quite happily with the default
permissions in place.

 

I suspect I'm missing something obvious but I'm not sure exactly what -
any suggestions please?

 

Thanks,

Paul



MIRA Ltd

 

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England

Registered in England and Wales No. 402570

VAT Registration  GB 100 1464 84

 

The contents of this e-mail are confidential and are solely for the use
of the intended recipient.  If you receive this e-mail in error, please
delete it and notify us either by e-mail, telephone or fax.  You should
not copy, forward or otherwise disclose the content of the e-mail as
this is prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is
confidential, privileged or unsuitable for overly sensitive persons with
low self-esteem, no sense of humour or irrational religious beliefs. If
you are not the intended recipient, any dissemination, distribution or
copying of this email is not authorised (either explicitly or
implicitly) and constitutes an irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear
of the unknown will be gratified to learn that there is no hidden
message revealed by reading this warning backwards, so just ignore that
Alert Notice from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you
have received this email in error, please add some nutmeg and egg
whites, whisk and place in a warm oven for 40 minutes.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Windows 2008 R2 - Default NTFS Permissions on new drive

[James Rankin]

UAC turned off?

On 21 February 2011 13:19, Paul Hutchings  wrote:

> Just starting to roll out some 2008 R2 based VM's.
>
> I've created a couple of new partitions on one of them, and thought I'd
> lock the permissions down to the local Administrators group and SYSTEM, but
> I'm finding that logged onto the server console with an account that clearly
> is in the local Administrators group I can't access the root of the newly
> created drives, I simply get "Access Denied".
>
> Of course because the account is in the Administrators group it can format
> the drives and access them quite happily with the default permissions in
> place.
>
>
>
> I suspect I’m missing something obvious but I’m not sure exactly what – any
> suggestions please?
>
>
>
> Thanks,
>
> Paul
> --
> *MIRA Ltd*
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England
> Registered in England and Wales No. 402570
> VAT Registration  GB 100 1464 84
>
> The contents of this e-mail are confidential and are solely for the use of
> the intended recipient.  If you receive this e-mail in error, please delete
> it and notify us either by e-mail, telephone or fax.  You should not copy,
> forward or otherwise disclose the content of the e-mail as this is
> prohibited.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.*

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: NTFS Permissions Questions

[Kurt Buff]

One file/directory resource, two groups. For instance, a share:
\\fileserver\share and a set of directories \\fileserver\share\dir1
and \\fileserver\share\dir2

I'll have 4 groups: FileserverShareDir1-RO, FileserverShareDir1-RW,
FileserverShareDir2-RO and FileserverShareDir2-RW

The share will have full permissions for Domain Users (not Everyone),
and the directory to which the share is applied (\\fileserver\share)
will have Read permissions, "This Folder Only", for Domain Users.

I then apply the permissions for the four groups above, with
appropriate permissions (Read for the RO group, and Modify for the RW
group) to the directories below, with "This Folder, Subfolders and
Files".

This assumes that you won't be applying permissions below the
\\fileserver\share\dir1 level. If that's not the case, then add groups
and adjust permissions as needed.

There's a bit more to it than that, but that's the gist of it.

Kurt

On Fri, Mar 19, 2010 at 06:57, Jason Morris  wrote:
> I’m looking at cleaning up some of our more ornery areas and want to know if
> anybody has some opinions/real world experience they’d be willing to share.
> From my perspective everything is working ok speed-wise but I want to know
> what other people are doing.
>
>
>
> We have a series of folders in one share that not all users with access to
> the share will be utilizing. Some will have “Folder A / Folder B / and
> Folder C” but not “Folder D / Folder E / and Folder F”. And others will be
> mixing and matching.
>
>
>
> I prefer to give groups permissions to the folders and put the users in the
> groups. But this might mean there will be 10 groups on Folder A. This might
> also mean User George will be a member of 20 groups. This is how I have it
> now and it’s working ok speed-wise. (it’s ornery because we’ve had requests
> here and there for individuals to access a folder and we’ve had to tweak
> security for the individual user)
>
>
>
> Is it better/faster to have groups checked in the ACL or have it some other
> way?
>
>
>
> Inquiring minds want to know.
>
> --
>
> Jason Morris
>
> MJMC, Inc.
>
> P: 708-225-2350
>
> F: 708-943-9015
>
>
>
>
>
>
>
> --
> The pages accompanying this email transmission contain information from
> MJMC, Inc., which
> is confidential and/or privileged. The information is to be for the use of
> the individual
> or entity named on this cover sheet. If you are not the intended recipient,
> you are
> hereby notified that any disclosure, dissemination, distribution, or copying
> of this
> communication is strictly prohibited. If you received this transmission in
> error, please
> immediately notify us by telephone so that we can arrange for the retrieval
> of the original
> document.
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: NTFS Permissions Questions

[Steven Peck]

What Charlie said.  We will create a group for every share.  Even if
it's one user.  In general, we will not drill down and create custom
file level permissions below the top level.  It has prevented ever so
many problems.  Also we can offload add/removes to the accounts admin
group.  Managers fill out a form requesting access, they grant it.

On Fri, Mar 19, 2010 at 9:39 AM, Charlie Kaiser
 wrote:
> Users into domain groups, folders permissioned with local groups, local
> groups have the domain groups added. Having a user be a member of 10-20
> groups is no big deal.
>
> So folder A will have a two local groups permissioned on it; foldernameRW
> and foldernameRO. The required domain security groups are then added to one
> of those two local groups. That way you also only have two local groups
> permed on the folder.
>
> Doing it this way means you never have to reapply permissions to the file
> structure, just change group memberships.
>
> I've also used ABE (access-based enumeration) to limit what people can see
> in that folder structure.
>
> ***
> Charlie Kaiser
> charl...@golden-eagle.org
> Kingman, AZ
> ***
>
>> -Original Message-
>> From: Jason Morris [mailto:jmor...@mjmc.com]
>> Sent: Friday, March 19, 2010 6:57 AM
>> To: NT System Admin Issues
>> Subject: NTFS Permissions Questions
>>
>> I'm looking at cleaning up some of our more ornery areas and
>> want to know if anybody has some opinions/real world
>> experience they'd be willing to share. From my perspective
>> everything is working ok speed-wise but I want to know what
>> other people are doing.
>>
>>
>>
>> We have a series of folders in one share that not all users
>> with access to the share will be utilizing. Some will have
>> "Folder A / Folder B / and Folder C" but not "Folder D /
>> Folder E / and Folder F". And others will be mixing and matching.
>>
>>
>>
>> I prefer to give groups permissions to the folders and put
>> the users in the groups. But this might mean there will be 10
>> groups on Folder A. This might also mean User George will be
>> a member of 20 groups. This is how I have it now and it's
>> working ok speed-wise. (it's ornery because we've had
>> requests here and there for individuals to access a folder
>> and we've had to tweak security for the individual user)
>>
>>
>>
>> Is it better/faster to have groups checked in the ACL or have
>> it some other way?
>>
>>
>>
>> Inquiring minds want to know.
>>
>> --
>>
>> Jason Morris
>>
>> MJMC, Inc.
>>
>> P: 708-225-2350
>>
>> F: 708-943-9015
>>
>>
>>
>>
>>
>>
>>
>> --
>> 
>> The pages accompanying this email transmission contain
>> information from MJMC, Inc., which is confidential and/or
>> privileged. The information is to be for the use of the
>> individual or entity named on this cover sheet. If you are
>> not the intended recipient, you are hereby notified that any
>> disclosure, dissemination, distribution, or copying of this
>> communication is strictly prohibited. If you received this
>> transmission in error, please immediately notify us by
>> telephone so that we can arrange for the retrieval of the
>> original document.
>>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: NTFS Permissions Questions

[Charlie Kaiser]

Users into domain groups, folders permissioned with local groups, local
groups have the domain groups added. Having a user be a member of 10-20
groups is no big deal.

So folder A will have a two local groups permissioned on it; foldernameRW
and foldernameRO. The required domain security groups are then added to one
of those two local groups. That way you also only have two local groups
permed on the folder.

Doing it this way means you never have to reapply permissions to the file
structure, just change group memberships.

I've also used ABE (access-based enumeration) to limit what people can see
in that folder structure.

***
Charlie Kaiser
charl...@golden-eagle.org
Kingman, AZ
***  

> -Original Message-
> From: Jason Morris [mailto:jmor...@mjmc.com] 
> Sent: Friday, March 19, 2010 6:57 AM
> To: NT System Admin Issues
> Subject: NTFS Permissions Questions
> 
> I'm looking at cleaning up some of our more ornery areas and 
> want to know if anybody has some opinions/real world 
> experience they'd be willing to share. From my perspective 
> everything is working ok speed-wise but I want to know what 
> other people are doing.
> 
>  
> 
> We have a series of folders in one share that not all users 
> with access to the share will be utilizing. Some will have 
> "Folder A / Folder B / and Folder C" but not "Folder D / 
> Folder E / and Folder F". And others will be mixing and matching.
> 
>  
> 
> I prefer to give groups permissions to the folders and put 
> the users in the groups. But this might mean there will be 10 
> groups on Folder A. This might also mean User George will be 
> a member of 20 groups. This is how I have it now and it's 
> working ok speed-wise. (it's ornery because we've had 
> requests here and there for individuals to access a folder 
> and we've had to tweak security for the individual user)
> 
>  
> 
> Is it better/faster to have groups checked in the ACL or have 
> it some other way?
> 
>  
> 
> Inquiring minds want to know.
> 
> --
> 
> Jason Morris
> 
> MJMC, Inc.
> 
> P: 708-225-2350
> 
> F: 708-943-9015
> 
>  
> 
>  
> 
>  
> 
> --
> 
> The pages accompanying this email transmission contain 
> information from MJMC, Inc., which is confidential and/or 
> privileged. The information is to be for the use of the 
> individual or entity named on this cover sheet. If you are 
> not the intended recipient, you are hereby notified that any 
> disclosure, dissemination, distribution, or copying of this 
> communication is strictly prohibited. If you received this 
> transmission in error, please immediately notify us by 
> telephone so that we can arrange for the retrieval of the 
> original document.
> 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: NTFS Permissions Questions

[Andrew S. Baker]

That's how I do it.

Users in groups, and groups with the necessary perms.

Makes it easy when users change roles, or roles change entitlements.

-ASB: http://XeeSM.com/AndrewBaker


On Fri, Mar 19, 2010 at 9:57 AM, Jason Morris  wrote:

>  I’m looking at cleaning up some of our more ornery areas and want to know
> if anybody has some opinions/real world experience they’d be willing to
> share. From my perspective everything is working ok speed-wise but I want to
> know what other people are doing.
>
>
>
> We have a series of folders in one share that not all users with access to
> the share will be utilizing. Some will have “Folder A / Folder B / and
> Folder C” but not “Folder D / Folder E / and Folder F”. And others will be
> mixing and matching.
>
>
>
> I prefer to give groups permissions to the folders and put the users in the
> groups. But this might mean there will be 10 groups on Folder A. This might
> also mean User George will be a member of 20 groups. This is how I have it
> now and it’s working ok speed-wise. (it’s ornery because we’ve had requests
> here and there for individuals to access a folder and we’ve had to tweak
> security for the individual user)
>
>
>
> Is it better/faster to have groups checked in the ACL or have it some other
> way?
>
>
>
> Inquiring minds want to know.
>
> --
>
> Jason Morris
>
> MJMC, Inc.
>
> P: 708-225-2350
>
> F: 708-943-9015
>
>
>
>
>
>
>
>  
> --
> The pages accompanying this email transmission contain information from MJMC, 
> Inc., which
> is confidential and/or privileged. The information is to be for the use of 
> the individual
> or entity named on this cover sheet. If you are not the intended recipient, 
> you are
> hereby notified that any disclosure, dissemination, distribution, or copying 
> of this
> communication is strictly prohibited. If you received this transmission in 
> error, please
> immediately notify us by telephone so that we can arrange for the retrieval 
> of the original
> document.
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

NTFS Permissions Questions

[Jason Morris]

I'm looking at cleaning up some of our more ornery areas and want to know if 
anybody has some opinions/real world experience they'd be willing to share. 
From my perspective everything is working ok speed-wise but I want to know what 
other people are doing.

We have a series of folders in one share that not all users with access to the 
share will be utilizing. Some will have "Folder A / Folder B / and Folder C" 
but not "Folder D / Folder E / and Folder F". And others will be mixing and 
matching.

I prefer to give groups permissions to the folders and put the users in the 
groups. But this might mean there will be 10 groups on Folder A. This might 
also mean User George will be a member of 20 groups. This is how I have it now 
and it's working ok speed-wise. (it's ornery because we've had requests here 
and there for individuals to access a folder and we've had to tweak security 
for the individual user)

Is it better/faster to have groups checked in the ACL or have it some other way?

Inquiring minds want to know.
--
Jason Morris
MJMC, Inc.
P: 708-225-2350
F: 708-943-9015


--
The pages accompanying this email transmission contain information from MJMC, 
Inc., which
is confidential and/or privileged. The information is to be for the use of the 
individual
or entity named on this cover sheet. If you are not the intended recipient, you 
are
hereby notified that any disclosure, dissemination, distribution, or copying of 
this
communication is strictly prohibited. If you received this transmission in 
error, please
immediately notify us by telephone so that we can arrange for the retrieval of 
the original
document.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[Kurt Buff]

I run a nightly job that reports on file/directory permissions on the
file server, and emails me the diff.  It uses fileacl.exe and
blat.exe.

It's really interesting to see what folks do sometimes...

Kurt

On Thu, Jan 14, 2010 at 05:50, Erik Goldoff  wrote:
> Bill, I've seen firsthand where someone sets their own folder's NTFS
> persmissions and excludes all the system privleges for admin, backup, etc
> ... and it doesn't really become known without the time to do constant
> reviews of the permissions ( not likely ) *OR* when the user has a problem
> and wants their files restored from backup, which they excluded by their
> NTFS settings ... sometimes preventing end users from setting permissions
> helps to keep them from shooting themselves in the foot, and if the data
> loss is strategic, it can impact more than just that user.
>
> On Wed, Jan 13, 2010 at 6:23 PM, Bill Songstad  wrote:
>>
>> I'm curious why you are concerned that an employee empowered to create a
>> folder in your domain should not be allowed to set access rights to it.  Why
>> disallow them the ability to control access if you as a domain admin can
>> seize control if need be?
>>
>> It's not like the everyone group includes anyone not in a an existing
>> domain security group.  Its not like NT or W2K where the everyone
>> group included the anonymous group.  Its only authenticated domain users
>> (and maybe machines).
>>
>> If this is a case where an employee might share confidential information
>> with those who should not see it, well that is a behavior/training issue,
>> because if they want to share that info, locking their ability to set acls
>> on that folder is not going to prevent them.
>>
>> Bill
>>
>> On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham  wrote:
>>>
>>> We have a Windows 2008 Domain whereby we control access to folders
>>> stored on one of the domain controllers through Active Directory
>>> groups.  When a new folder is created on the network file server, we
>>> grant full permissions to the associated active directory group with the
>>> exception of the ability to set and change permissions.
>>>
>>> We just discovered that a user can grant permissions to any folder that
>>> they create under the primary folder because they are the folder
>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>> in the world would I keep up with this.  I've no idea when a user might
>>> create a sub folder.  I stumbled upon the problem because I found a
>>> folder whereby a user had granted the everyone group full rights.  I
>>> knew none of the domain admins would do that.  After talking with the
>>> owner of the folder, I found out he's been doing it all along.
>>>
>>> Wow!  This is a real problem for us because we want to control access
>>> through groups.  This one user had shared a bunch of folders using
>>> individual names.  Plus, he had no clue what he was doing and just
>>> granted everyone full rights.
>>>
>>> How in the world do you guys handle this?  Am I missing something?
>>>
>>> Thanks, Terri
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>
>>
>>
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[Terri Esham]

That's perfect.

Thanks, Terri

Miller Bonnie L. said the following on 1/14/2010 11:08 AM:
>
> Have you considered removing the security tab via gpo?  We use this
> for students.
>
>  
>
> \User configuration\Administrative Templates\Windows
> Components\Windows Explorer
>
> Remove Security Tab
>
>  
>
> -Bonnie
>
>  
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, January 14, 2010 6:28 AM
> *To:* NT System Admin Issues
> *Subject:* Re: Users Setting NTFS Permissions
>
>  
>
> That's an interesting point, I forgot about the cumulative effects of
> share and NTFS permissions. I always leave the share permissions as
> Everyone:Full so that everything is controlled by NTFS. It's one less
> place to look when you are troubleshooting an access issue.
>
> I might run some tests on the combination of share and NTFS and see if
> it works any different.
>
> 2010/1/14 Andrew S. Baker mailto:asbz...@gmail.com>>
>
> What share rights do your users have?
>
> If your users have share rights of CHANGE and only administrators have
> share rights of FULL CONTROL, this problem should be averted, as the
> combination of file & share perms would prevent the problem being
> addressed here.
>
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Providing Competitive Advantage through Effective IT Leadership*
>
>  
>
> On Wed, Jan 13, 2010 at 11:57 AM, James Rankin  <mailto:kz2...@googlemail.com>> wrote:
>
> It behaves exactly the same (for me anyway) after the permissions
> are removed - creating user is named as owner on the security tab
> and has the appropriate permissions rights to go with it. And
> after setting the owner with subinacl. Digging around in all this
> is making me glad I've set the security tab to hidden. I'm
> considering running the subinacl command as a scheduled task as
> well, as I can see multiple owners on parts of my data structure.
>
>  
>
> 2010/1/13 mailto:asbz...@gmail.com>>
>
> What about users who create folders after the permissions are
> removed?
>
> You have to do it from the very beginning, or manually reset
> the perms after the fact as Jonathan has indicated earlier.
>
> There is a special set of rights that are implicitly granted,
> but the removal of Creator/Owner should address that.
>
> I'll test it later today to verify.
>
>  
>
> Sent from my Verizon Wireless BlackBerry
>
> 
> --------
>
> *From: *James Rankin  <mailto:kz2...@googlemail.com>>
>
> *Date: *Wed, 13 Jan 2010 16:16:07 +
>
> *To: *NT System Admin
> Issues <mailto:ntsysadmin@lyris.sunbelt-software.com>>
>
> *Subject: *Re: Users Setting NTFS Permissions
>
>  
>
>  HmmmI've removed it and it is still listing users who
> have created folders as the owner. It's definitely not on the
> ACL...
>
> 2010/1/13 mailto:asbz...@gmail.com>>
>
> Creator/Owner is inherited and can be removed easily
> enough. Far easier to maintain.
>
> Sent from my Verizon Wireless BlackBerry
>
> 
> 
>
> *From: *James Rankin  <mailto:kz2...@googlemail.com>>
>
> *Date: *Wed, 13 Jan 2010 13:20:52 +
>
> *To: *NT System Admin
> Issues <mailto:ntsysadmin@lyris.sunbelt-software.com>>
>
> *Subject: *Re: Users Setting NTFS Permissions
>
>  
>
> I normally just give the groups RWXD, but the Creator
> Owner privilege appears by default on newly created
> folders. Without removing the ability to create folders
> and/or run subinacl scripts to take ownership, I find
> removing the GUI to change the permissions is the easiest
> option.
>
> 2010/1/13 Jonathan Link  <mailto:jonathan.l...@gmail.com>>
>
> Isn't that just obfuscation?  I thought the ability to
> change permissions was granted by the Full Control
> right.  If that's the case, pull Creator/Owner Full
> control from your file system and reassign permissions
> accordingly.
>
>

Re: Users Setting NTFS Permissions

[James Rankin]

heheI still do it the hardcore NT4 way - but I use a GPO to achieve it.

I clearly need to move into the 21st century. i didn't even know that GP
setting existed.

Cheers,


2010/1/14 Miller Bonnie L. 

>  Have you considered removing the security tab via gpo?  We use this for
> students.
>
>
>
> \User configuration\Administrative Templates\Windows Components\Windows
> Explorer
>
> Remove Security Tab
>
>
>
> -Bonnie
>
>
>
> *From:* James Rankin [mailto:kz2...@googlemail.com]
> *Sent:* Thursday, January 14, 2010 6:28 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Users Setting NTFS Permissions
>
>
>
> That's an interesting point, I forgot about the cumulative effects of share
> and NTFS permissions. I always leave the share permissions as Everyone:Full
> so that everything is controlled by NTFS. It's one less place to look when
> you are troubleshooting an access issue.
>
> I might run some tests on the combination of share and NTFS and see if it
> works any different.
>
> 2010/1/14 Andrew S. Baker 
>
> What share rights do your users have?
>
> If your users have share rights of CHANGE and only administrators have
> share rights of FULL CONTROL, this problem should be averted, as the
> combination of file & share perms would prevent the problem being addressed
> here.
>
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Providing Competitive Advantage through Effective IT Leadership*
>
>
>
> On Wed, Jan 13, 2010 at 11:57 AM, James Rankin 
> wrote:
>
>  It behaves exactly the same (for me anyway) after the permissions are
> removed - creating user is named as owner on the security tab and has the
> appropriate permissions rights to go with it. And after setting the owner
> with subinacl. Digging around in all this is making me glad I've set the
> security tab to hidden. I'm considering running the subinacl command as a
> scheduled task as well, as I can see multiple owners on parts of my data
> structure.
>
>
>
> 2010/1/13 
>
>  What about users who create folders after the permissions are removed?
>
> You have to do it from the very beginning, or manually reset the perms
> after the fact as Jonathan has indicated earlier.
>
> There is a special set of rights that are implicitly granted, but the
> removal of Creator/Owner should address that.
>
> I'll test it later today to verify.
>
>
>
> Sent from my Verizon Wireless BlackBerry
>  --
>
> *From: *James Rankin 
>
> *Date: *Wed, 13 Jan 2010 16:16:07 +
>
> *To: *NT System Admin Issues
>
> *Subject: *Re: Users Setting NTFS Permissions
>
>
>
>  HmmmI've removed it and it is still listing users who have created
> folders as the owner. It's definitely not on the ACL...
>
> 2010/1/13 
>
>  Creator/Owner is inherited and can be removed easily enough. Far easier
> to maintain.
>
> Sent from my Verizon Wireless BlackBerry
>  --
>
> *From: *James Rankin 
>
> *Date: *Wed, 13 Jan 2010 13:20:52 +
>
> *To: *NT System Admin Issues
>
> *Subject: *Re: Users Setting NTFS Permissions
>
>
>
> I normally just give the groups RWXD, but the Creator Owner privilege
> appears by default on newly created folders. Without removing the ability to
> create folders and/or run subinacl scripts to take ownership, I find
> removing the GUI to change the permissions is the easiest option.
>
> 2010/1/13 Jonathan Link 
>
>  Isn't that just obfuscation?  I thought the ability to change permissions
> was granted by the Full Control right.  If that's the case, pull
> Creator/Owner Full control from your file system and reassign permissions
> accordingly.
>
>
>
> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin 
> wrote:
>
>  Prevent access to the rshx32.dll file on all your workstations and
> servers to Administrators and System only. You can do this with a GPO. The
> user can't access the security tab then and can't change permissions. Unless
> they know how to use cacls. You could lock the permissions on that file as
> well through Group Policy.
>
> 2010/1/13 Terri Esham 
>
>
>
> We have a Windows 2008 Domain whereby we control access to folders
> stored on one of the domain controllers through Active Directory
> groups.  When a new folder is created on the network file server, we
> grant full permissions to the associated active directory group with the
> exception of the ability to set and change permissions.
>
> We just discovered that a user can grant permissions to any folder that
> they create under the primary fold

RE: Users Setting NTFS Permissions

[Miller Bonnie L .]

Have you considered removing the security tab via gpo?  We use this for 
students.

\User configuration\Administrative Templates\Windows Components\Windows Explorer
Remove Security Tab

-Bonnie

From: James Rankin [mailto:kz2...@googlemail.com]
Sent: Thursday, January 14, 2010 6:28 AM
To: NT System Admin Issues
Subject: Re: Users Setting NTFS Permissions

That's an interesting point, I forgot about the cumulative effects of share and 
NTFS permissions. I always leave the share permissions as Everyone:Full so that 
everything is controlled by NTFS. It's one less place to look when you are 
troubleshooting an access issue.

I might run some tests on the combination of share and NTFS and see if it works 
any different.
2010/1/14 Andrew S. Baker mailto:asbz...@gmail.com>>
What share rights do your users have?

If your users have share rights of CHANGE and only administrators have share 
rights of FULL CONTROL, this problem should be averted, as the combination of 
file & share perms would prevent the problem being addressed here.

ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker>
Providing Competitive Advantage through Effective IT Leadership

On Wed, Jan 13, 2010 at 11:57 AM, James Rankin 
mailto:kz2...@googlemail.com>> wrote:
It behaves exactly the same (for me anyway) after the permissions are removed - 
creating user is named as owner on the security tab and has the appropriate 
permissions rights to go with it. And after setting the owner with subinacl. 
Digging around in all this is making me glad I've set the security tab to 
hidden. I'm considering running the subinacl command as a scheduled task as 
well, as I can see multiple owners on parts of my data structure.

2010/1/13 mailto:asbz...@gmail.com>>
What about users who create folders after the permissions are removed?

You have to do it from the very beginning, or manually reset the perms after 
the fact as Jonathan has indicated earlier.

There is a special set of rights that are implicitly granted, but the removal 
of Creator/Owner should address that.

I'll test it later today to verify.


Sent from my Verizon Wireless BlackBerry


From: James Rankin mailto:kz2...@googlemail.com>>
Date: Wed, 13 Jan 2010 16:16:07 +
To: NT System Admin 
Issuesmailto:ntsysadmin@lyris.sunbelt-software.com>>
Subject: Re: Users Setting NTFS Permissions

 HmmmI've removed it and it is still listing users who have created folders 
as the owner. It's definitely not on the ACL...
2010/1/13 mailto:asbz...@gmail.com>>
Creator/Owner is inherited and can be removed easily enough. Far easier to 
maintain.

Sent from my Verizon Wireless BlackBerry


From: James Rankin mailto:kz2...@googlemail.com>>
Date: Wed, 13 Jan 2010 13:20:52 +
To: NT System Admin 
Issuesmailto:ntsysadmin@lyris.sunbelt-software.com>>
Subject: Re: Users Setting NTFS Permissions

I normally just give the groups RWXD, but the Creator Owner privilege appears 
by default on newly created folders. Without removing the ability to create 
folders and/or run subinacl scripts to take ownership, I find removing the GUI 
to change the permissions is the easiest option.
2010/1/13 Jonathan Link 
mailto:jonathan.l...@gmail.com>>
Isn't that just obfuscation?  I thought the ability to change permissions was 
granted by the Full Control right.  If that's the case, pull Creator/Owner Full 
control from your file system and reassign permissions accordingly.

On Wed, Jan 13, 2010 at 7:11 AM, James Rankin 
mailto:kz2...@googlemail.com>> wrote:
Prevent access to the rshx32.dll file on all your workstations and servers to 
Administrators and System only. You can do this with a GPO. The user can't 
access the security tab then and can't change permissions. Unless they know how 
to use cacls. You could lock the permissions on that file as well through Group 
Policy.
2010/1/13 Terri Esham mailto:terri.es...@noaa.gov>>

We have a Windows 2008 Domain whereby we control access to folders
stored on one of the domain controllers through Active Directory
groups.  When a new folder is created on the network file server, we
grant full permissions to the associated active directory group with the
exception of the ability to set and change permissions.

We just discovered that a user can grant permissions to any folder that
they create under the primary folder because they are the folder
owner.   Obviously, I can change ownership to the domain admin, but how
in the world would I keep up with this.  I've no idea when a user might
create a sub folder.  I stumbled upon the problem because I found a
folder whereby a user had granted the everyone group full rights.  I
knew none of the domain admins would do that.  After talking with the
owner of the folder, I found out he's been doing it all along.

Wow!  This is a real problem f

Re: Users Setting NTFS Permissions

[Andrew S. Baker]

Nope, I have long been a proponent of appropriate rights at all levels.
Yes, it's one more place to check, but one less reason to need to.

http://KB.UltraTech-llc.com/?File=Perms.TXT

-ASB: http://XeeSM.com/AndrewBaker



On Thu, Jan 14, 2010 at 9:27 AM, James Rankin  wrote:

> That's an interesting point, I forgot about the cumulative effects of share
> and NTFS permissions. I always leave the share permissions as Everyone:Full
> so that everything is controlled by NTFS. It's one less place to look when
> you are troubleshooting an access issue.
>
> I might run some tests on the combination of share and NTFS and see if it
> works any different.
>
> 2010/1/14 Andrew S. Baker 
>
>> What share rights do your users have?
>>
>> If your users have share rights of CHANGE and only administrators have
>> share rights of FULL CONTROL, this problem should be averted, as the
>> combination of file & share perms would prevent the problem being addressed
>> here.
>>
>> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
>> *Providing Competitive Advantage through Effective IT Leadership*
>>
>>
>>
>> On Wed, Jan 13, 2010 at 11:57 AM, James Rankin wrote:
>>
>>> It behaves exactly the same (for me anyway) after the permissions are
>>> removed - creating user is named as owner on the security tab and has the
>>> appropriate permissions rights to go with it. And after setting the owner
>>> with subinacl. Digging around in all this is making me glad I've set the
>>> security tab to hidden. I'm considering running the subinacl command as a
>>> scheduled task as well, as I can see multiple owners on parts of my data
>>> structure.
>>>
>>>
>>> 2010/1/13 
>>>
>>>>  What about users who create folders after the permissions are removed?
>>>>
>>>> You have to do it from the very beginning, or manually reset the perms
>>>> after the fact as Jonathan has indicated earlier.
>>>>
>>>> There is a special set of rights that are implicitly granted, but the
>>>> removal of Creator/Owner should address that.
>>>>
>>>> I'll test it later today to verify.
>>>>
>>>>
>>>> Sent from my Verizon Wireless BlackBerry
>>>> --
>>>> *From: * James Rankin 
>>>> *Date: *Wed, 13 Jan 2010 16:16:07 +
>>>> *To: *NT System Admin Issues
>>>> *Subject: *Re: Users Setting NTFS Permissions
>>>>
>>>>  HmmmI've removed it and it is still listing users who have created
>>>> folders as the owner. It's definitely not on the ACL...
>>>>
>>>> 2010/1/13 
>>>>
>>>>> Creator/Owner is inherited and can be removed easily enough. Far easier
>>>>> to maintain.
>>>>>
>>>>> Sent from my Verizon Wireless BlackBerry
>>>>> --
>>>>> *From: * James Rankin 
>>>>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>>>>> *To: *NT System Admin Issues
>>>>> *Subject: *Re: Users Setting NTFS Permissions
>>>>>
>>>>> I normally just give the groups RWXD, but the Creator Owner privilege
>>>>> appears by default on newly created folders. Without removing the ability 
>>>>> to
>>>>> create folders and/or run subinacl scripts to take ownership, I find
>>>>> removing the GUI to change the permissions is the easiest option.
>>>>>
>>>>> 2010/1/13 Jonathan Link 
>>>>>
>>>>>>  Isn't that just obfuscation?  I thought the ability to change
>>>>>> permissions was granted by the Full Control right.  If that's the case, 
>>>>>> pull
>>>>>> Creator/Owner Full control from your file system and reassign permissions
>>>>>> accordingly.
>>>>>>
>>>>>>
>>>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin 
>>>>>> wrote:
>>>>>>
>>>>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>>>>> servers to Administrators and System only. You can do this with a GPO. 
>>>>>>> The
>>>>>>> user can't access the security tab then and can't change permissions. 
>>>>>>> Unless
>>>>>>> they know how to use cacls. You could lock the perm

Re: Users Setting NTFS Permissions

[James Rankin]

That's an interesting point, I forgot about the cumulative effects of share
and NTFS permissions. I always leave the share permissions as Everyone:Full
so that everything is controlled by NTFS. It's one less place to look when
you are troubleshooting an access issue.

I might run some tests on the combination of share and NTFS and see if it
works any different.

2010/1/14 Andrew S. Baker 

> What share rights do your users have?
>
> If your users have share rights of CHANGE and only administrators have
> share rights of FULL CONTROL, this problem should be averted, as the
> combination of file & share perms would prevent the problem being addressed
> here.
>
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Providing Competitive Advantage through Effective IT Leadership*
>
>
>
> On Wed, Jan 13, 2010 at 11:57 AM, James Rankin wrote:
>
>> It behaves exactly the same (for me anyway) after the permissions are
>> removed - creating user is named as owner on the security tab and has the
>> appropriate permissions rights to go with it. And after setting the owner
>> with subinacl. Digging around in all this is making me glad I've set the
>> security tab to hidden. I'm considering running the subinacl command as a
>> scheduled task as well, as I can see multiple owners on parts of my data
>> structure.
>>
>>
>> 2010/1/13 
>>
>>> What about users who create folders after the permissions are removed?
>>>
>>> You have to do it from the very beginning, or manually reset the perms
>>> after the fact as Jonathan has indicated earlier.
>>>
>>> There is a special set of rights that are implicitly granted, but the
>>> removal of Creator/Owner should address that.
>>>
>>> I'll test it later today to verify.
>>>
>>>
>>> Sent from my Verizon Wireless BlackBerry
>>> --
>>> *From: * James Rankin 
>>> *Date: *Wed, 13 Jan 2010 16:16:07 +
>>> *To: *NT System Admin Issues
>>> *Subject: *Re: Users Setting NTFS Permissions
>>>
>>>  HmmmI've removed it and it is still listing users who have created
>>> folders as the owner. It's definitely not on the ACL...
>>>
>>> 2010/1/13 
>>>
>>>> Creator/Owner is inherited and can be removed easily enough. Far easier
>>>> to maintain.
>>>>
>>>> Sent from my Verizon Wireless BlackBerry
>>>> --
>>>> *From: * James Rankin 
>>>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>>>> *To: *NT System Admin Issues
>>>> *Subject: *Re: Users Setting NTFS Permissions
>>>>
>>>> I normally just give the groups RWXD, but the Creator Owner privilege
>>>> appears by default on newly created folders. Without removing the ability 
>>>> to
>>>> create folders and/or run subinacl scripts to take ownership, I find
>>>> removing the GUI to change the permissions is the easiest option.
>>>>
>>>> 2010/1/13 Jonathan Link 
>>>>
>>>>> Isn't that just obfuscation?  I thought the ability to change
>>>>> permissions was granted by the Full Control right.  If that's the case, 
>>>>> pull
>>>>> Creator/Owner Full control from your file system and reassign permissions
>>>>> accordingly.
>>>>>
>>>>>
>>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin 
>>>>> wrote:
>>>>>
>>>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>>>> servers to Administrators and System only. You can do this with a GPO. 
>>>>>> The
>>>>>> user can't access the security tab then and can't change permissions. 
>>>>>> Unless
>>>>>> they know how to use cacls. You could lock the permissions on that file 
>>>>>> as
>>>>>> well through Group Policy.
>>>>>>
>>>>>> 2010/1/13 Terri Esham 
>>>>>>
>>>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>>>> stored on one of the domain controllers through Active Directory
>>>>>>> groups.  When a new folder is created on the network file server, we
>>>>>>> grant full permissions to the associated active directory group with
>>>>>>> the
>>>>>>> exception of th

Re: Users Setting NTFS Permissions

[Andrew S. Baker]

+5

*ASB *(My XeeSM Profile) 
*Providing Competitive Advantage through Effective IT Leadership*


On Thu, Jan 14, 2010 at 8:50 AM, Erik Goldoff  wrote:

> Bill, I've seen firsthand where someone sets their own folder's NTFS
> persmissions and excludes all the system privleges for admin, backup, etc
> ... and it doesn't really become known without the time to do constant
> reviews of the permissions ( not likely ) *OR* when the user has a problem
> and wants their files restored from backup, which they excluded by their
> NTFS settings ... sometimes preventing end users from setting permissions
> helps to keep them from shooting themselves in the foot, and if the data
> loss is strategic, it can impact more than just that user.
>
> On Wed, Jan 13, 2010 at 6:23 PM, Bill Songstad wrote:
>
>> I'm curious why you are concerned that an employee empowered to create a
>> folder in your domain should not be allowed to set access rights to it.  Why
>> disallow them the ability to control access if you as a domain admin can
>> seize control if need be?
>>
>> It's not like the everyone group includes anyone not in a an existing
>> domain security group.  Its not like NT or W2K where the everyone
>> group included the anonymous group.  Its only authenticated domain users
>> (and maybe machines).
>>
>> If this is a case where an employee might share confidential information
>> with those who should not see it, well that is a behavior/training issue,
>> because if they want to share that info, locking their ability to set acls
>> on that folder is not going to prevent them.
>>
>> Bill
>>
>> On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham wrote:
>>
>>> We have a Windows 2008 Domain whereby we control access to folders
>>> stored on one of the domain controllers through Active Directory
>>> groups.  When a new folder is created on the network file server, we
>>> grant full permissions to the associated active directory group with the
>>> exception of the ability to set and change permissions.
>>>
>>> We just discovered that a user can grant permissions to any folder that
>>> they create under the primary folder because they are the folder
>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>> in the world would I keep up with this.  I've no idea when a user might
>>> create a sub folder.  I stumbled upon the problem because I found a
>>> folder whereby a user had granted the everyone group full rights.  I
>>> knew none of the domain admins would do that.  After talking with the
>>> owner of the folder, I found out he's been doing it all along.
>>>
>>> Wow!  This is a real problem for us because we want to control access
>>> through groups.  This one user had shared a bunch of folders using
>>> individual names.  Plus, he had no clue what he was doing and just
>>> granted everyone full rights.
>>>
>>> How in the world do you guys handle this?  Am I missing something?
>>>
>>> Thanks, Terri
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>
>>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[Andrew S. Baker]

What share rights do your users have?

If your users have share rights of CHANGE and only administrators have share
rights of FULL CONTROL, this problem should be averted, as the combination
of file & share perms would prevent the problem being addressed here.

*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Providing Competitive Advantage through Effective IT Leadership*



On Wed, Jan 13, 2010 at 11:57 AM, James Rankin wrote:

> It behaves exactly the same (for me anyway) after the permissions are
> removed - creating user is named as owner on the security tab and has the
> appropriate permissions rights to go with it. And after setting the owner
> with subinacl. Digging around in all this is making me glad I've set the
> security tab to hidden. I'm considering running the subinacl command as a
> scheduled task as well, as I can see multiple owners on parts of my data
> structure.
>
>
> 2010/1/13 
>
>> What about users who create folders after the permissions are removed?
>>
>> You have to do it from the very beginning, or manually reset the perms
>> after the fact as Jonathan has indicated earlier.
>>
>> There is a special set of rights that are implicitly granted, but the
>> removal of Creator/Owner should address that.
>>
>> I'll test it later today to verify.
>>
>>
>> Sent from my Verizon Wireless BlackBerry
>> --
>> *From: * James Rankin 
>> *Date: *Wed, 13 Jan 2010 16:16:07 +
>> *To: *NT System Admin Issues
>> *Subject: *Re: Users Setting NTFS Permissions
>>
>>  HmmmI've removed it and it is still listing users who have created
>> folders as the owner. It's definitely not on the ACL...
>>
>> 2010/1/13 
>>
>>> Creator/Owner is inherited and can be removed easily enough. Far easier
>>> to maintain.
>>>
>>> Sent from my Verizon Wireless BlackBerry
>>> --
>>> *From: * James Rankin 
>>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>>> *To: *NT System Admin Issues
>>> *Subject: *Re: Users Setting NTFS Permissions
>>>
>>> I normally just give the groups RWXD, but the Creator Owner privilege
>>> appears by default on newly created folders. Without removing the ability to
>>> create folders and/or run subinacl scripts to take ownership, I find
>>> removing the GUI to change the permissions is the easiest option.
>>>
>>> 2010/1/13 Jonathan Link 
>>>
>>>> Isn't that just obfuscation?  I thought the ability to change
>>>> permissions was granted by the Full Control right.  If that's the case, 
>>>> pull
>>>> Creator/Owner Full control from your file system and reassign permissions
>>>> accordingly.
>>>>
>>>>
>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>>>
>>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>>> servers to Administrators and System only. You can do this with a GPO. The
>>>>> user can't access the security tab then and can't change permissions. 
>>>>> Unless
>>>>> they know how to use cacls. You could lock the permissions on that file as
>>>>> well through Group Policy.
>>>>>
>>>>> 2010/1/13 Terri Esham 
>>>>>
>>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>>> stored on one of the domain controllers through Active Directory
>>>>>> groups.  When a new folder is created on the network file server, we
>>>>>> grant full permissions to the associated active directory group with
>>>>>> the
>>>>>> exception of the ability to set and change permissions.
>>>>>>
>>>>>> We just discovered that a user can grant permissions to any folder
>>>>>> that
>>>>>> they create under the primary folder because they are the folder
>>>>>> owner.   Obviously, I can change ownership to the domain admin, but
>>>>>> how
>>>>>> in the world would I keep up with this.  I've no idea when a user
>>>>>> might
>>>>>> create a sub folder.  I stumbled upon the problem because I found a
>>>>>> folder whereby a user had granted the everyone group full rights.  I
>>>>>> knew none of the domain admins would do t

Re: Users Setting NTFS Permissions

[Erik Goldoff]

Bill, I've seen firsthand where someone sets their own folder's NTFS
persmissions and excludes all the system privleges for admin, backup, etc
... and it doesn't really become known without the time to do constant
reviews of the permissions ( not likely ) *OR* when the user has a problem
and wants their files restored from backup, which they excluded by their
NTFS settings ... sometimes preventing end users from setting permissions
helps to keep them from shooting themselves in the foot, and if the data
loss is strategic, it can impact more than just that user.

On Wed, Jan 13, 2010 at 6:23 PM, Bill Songstad  wrote:

> I'm curious why you are concerned that an employee empowered to create a
> folder in your domain should not be allowed to set access rights to it.  Why
> disallow them the ability to control access if you as a domain admin can
> seize control if need be?
>
> It's not like the everyone group includes anyone not in a an existing
> domain security group.  Its not like NT or W2K where the everyone
> group included the anonymous group.  Its only authenticated domain users
> (and maybe machines).
>
> If this is a case where an employee might share confidential information
> with those who should not see it, well that is a behavior/training issue,
> because if they want to share that info, locking their ability to set acls
> on that folder is not going to prevent them.
>
> Bill
>
> On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham  wrote:
>
>> We have a Windows 2008 Domain whereby we control access to folders
>> stored on one of the domain controllers through Active Directory
>> groups.  When a new folder is created on the network file server, we
>> grant full permissions to the associated active directory group with the
>> exception of the ability to set and change permissions.
>>
>> We just discovered that a user can grant permissions to any folder that
>> they create under the primary folder because they are the folder
>> owner.   Obviously, I can change ownership to the domain admin, but how
>> in the world would I keep up with this.  I've no idea when a user might
>> create a sub folder.  I stumbled upon the problem because I found a
>> folder whereby a user had granted the everyone group full rights.  I
>> knew none of the domain admins would do that.  After talking with the
>> owner of the folder, I found out he's been doing it all along.
>>
>> Wow!  This is a real problem for us because we want to control access
>> through groups.  This one user had shared a bunch of folders using
>> individual names.  Plus, he had no clue what he was doing and just
>> granted everyone full rights.
>>
>> How in the world do you guys handle this?  Am I missing something?
>>
>> Thanks, Terri
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[Terri Esham]

In addition to what has already been said.  What happens is someone in
the everyone group deletes, modifies, etc., a file they shouldn't and
then I spend the day restoring stuff.  Plus, when I was using a
migration tool to migrate files to another file server, it kept failing
because users had remove admin rights to the folder.  Just more work for
me that I don't need.

Terri

Bill Songstad said the following on 1/13/2010 6:23 PM:
> I'm curious why you are concerned that an employee empowered to create
> a folder in your domain should not be allowed to set access rights to
> it.  Why disallow them the ability to control access if you as a
> domain admin can seize control if need be? 
>  
> It's not like the everyone group includes anyone not in a an existing
> domain security group.  Its not like NT or W2K where the everyone
> group included the anonymous group.  Its only authenticated domain
> users (and maybe machines).
>  
> If this is a case where an employee might share confidential
> information with those who should not see it, well that is a
> behavior/training issue, because if they want to share that info,
> locking their ability to set acls on that folder is not going to
> prevent them.
>  
> Bill
>
> On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham  > wrote:
>
> We have a Windows 2008 Domain whereby we control access to folders
> stored on one of the domain controllers through Active Directory
> groups.  When a new folder is created on the network file server, we
> grant full permissions to the associated active directory group
> with the
> exception of the ability to set and change permissions.
>
> We just discovered that a user can grant permissions to any folder
> that
> they create under the primary folder because they are the folder
> owner.   Obviously, I can change ownership to the domain admin,
> but how
> in the world would I keep up with this.  I've no idea when a user
> might
> create a sub folder.  I stumbled upon the problem because I found a
> folder whereby a user had granted the everyone group full rights.  I
> knew none of the domain admins would do that.  After talking with the
> owner of the folder, I found out he's been doing it all along.
>
> Wow!  This is a real problem for us because we want to control access
> through groups.  This one user had shared a bunch of folders using
> individual names.  Plus, he had no clue what he was doing and just
> granted everyone full rights.
>
> How in the world do you guys handle this?  Am I missing something?
>
> Thanks, Terri
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>  
>
>  

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[James Rankin]

It's to stop casual clickers setting access rights on folders and sharing
them out with people they shouldn't accidentally, in my case. It could be
resolved via training, but at least I know with my approach that they can't
do it if they decide to disregard their training and mess about anyway. It's
all very well saying that users *shouldn't* do things and be trusted, but in
my experience, they seem to perversely enjoy doing what they aren't supposed
to. It's all very well to use HR to discipline them if you catch them out,
but then I've still got to clear up the mess, and I'd rather avoid it in the
first place. YMMV

2010/1/13 Bill Songstad 

> I'm curious why you are concerned that an employee empowered to create a
> folder in your domain should not be allowed to set access rights to it.  Why
> disallow them the ability to control access if you as a domain admin can
> seize control if need be?
>
> It's not like the everyone group includes anyone not in a an existing
> domain security group.  Its not like NT or W2K where the everyone
> group included the anonymous group.  Its only authenticated domain users
> (and maybe machines).
>
> If this is a case where an employee might share confidential information
> with those who should not see it, well that is a behavior/training issue,
> because if they want to share that info, locking their ability to set acls
> on that folder is not going to prevent them.
>
> Bill
>
> On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham  wrote:
>
>> We have a Windows 2008 Domain whereby we control access to folders
>> stored on one of the domain controllers through Active Directory
>> groups.  When a new folder is created on the network file server, we
>> grant full permissions to the associated active directory group with the
>> exception of the ability to set and change permissions.
>>
>> We just discovered that a user can grant permissions to any folder that
>> they create under the primary folder because they are the folder
>> owner.   Obviously, I can change ownership to the domain admin, but how
>> in the world would I keep up with this.  I've no idea when a user might
>> create a sub folder.  I stumbled upon the problem because I found a
>> folder whereby a user had granted the everyone group full rights.  I
>> knew none of the domain admins would do that.  After talking with the
>> owner of the folder, I found out he's been doing it all along.
>>
>> Wow!  This is a real problem for us because we want to control access
>> through groups.  This one user had shared a bunch of folders using
>> individual names.  Plus, he had no clue what he was doing and just
>> granted everyone full rights.
>>
>> How in the world do you guys handle this?  Am I missing something?
>>
>> Thanks, Terri
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Users Setting NTFS Permissions

[Ken Schaefer]

Because there is plenty of information within an organisation that shouldn't 
necessarily be accessible to everyone in the organisation. Everything from HR 
information, payroll information, accounting information, IT information...

If users are mistakenly sharing out information to "Everyone" because they 
don't know how to do it better (and potentially refuse to understand, even 
given training) then you need to look at other methods (be they technical 
implementations, or removing the user's ability to do this, or fire the 
employee).

Cheers
Ken

From: Bill Songstad [mailto:bsongs...@gmail.com]
Sent: Thursday, 14 January 2010 10:23 AM
To: NT System Admin Issues
Subject: Re: Users Setting NTFS Permissions

I'm curious why you are concerned that an employee empowered to create a folder 
in your domain should not be allowed to set access rights to it.  Why disallow 
them the ability to control access if you as a domain admin can seize control 
if need be?

It's not like the everyone group includes anyone not in a an existing domain 
security group.  Its not like NT or W2K where the everyone group included the 
anonymous group.  Its only authenticated domain users (and maybe machines).

If this is a case where an employee might share confidential information with 
those who should not see it, well that is a behavior/training issue, because if 
they want to share that info, locking their ability to set acls on that folder 
is not going to prevent them.

Bill
On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham 
mailto:terri.es...@noaa.gov>> wrote:
We have a Windows 2008 Domain whereby we control access to folders
stored on one of the domain controllers through Active Directory
groups.  When a new folder is created on the network file server, we
grant full permissions to the associated active directory group with the
exception of the ability to set and change permissions.

We just discovered that a user can grant permissions to any folder that
they create under the primary folder because they are the folder
owner.   Obviously, I can change ownership to the domain admin, but how
in the world would I keep up with this.  I've no idea when a user might
create a sub folder.  I stumbled upon the problem because I found a
folder whereby a user had granted the everyone group full rights.  I
knew none of the domain admins would do that.  After talking with the
owner of the folder, I found out he's been doing it all along.

Wow!  This is a real problem for us because we want to control access
through groups.  This one user had shared a bunch of folders using
individual names.  Plus, he had no clue what he was doing and just
granted everyone full rights.

How in the world do you guys handle this?  Am I missing something?

Thanks, Terri

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Users Setting NTFS Permissions

[Bill Songstad]

I'm curious why you are concerned that an employee empowered to create a
folder in your domain should not be allowed to set access rights to it.  Why
disallow them the ability to control access if you as a domain admin can
seize control if need be?

It's not like the everyone group includes anyone not in a an existing domain
security group.  Its not like NT or W2K where the everyone group included
the anonymous group.  Its only authenticated domain users (and maybe
machines).

If this is a case where an employee might share confidential information
with those who should not see it, well that is a behavior/training issue,
because if they want to share that info, locking their ability to set acls
on that folder is not going to prevent them.

Bill

On Wed, Jan 13, 2010 at 4:07 AM, Terri Esham  wrote:

> We have a Windows 2008 Domain whereby we control access to folders
> stored on one of the domain controllers through Active Directory
> groups.  When a new folder is created on the network file server, we
> grant full permissions to the associated active directory group with the
> exception of the ability to set and change permissions.
>
> We just discovered that a user can grant permissions to any folder that
> they create under the primary folder because they are the folder
> owner.   Obviously, I can change ownership to the domain admin, but how
> in the world would I keep up with this.  I've no idea when a user might
> create a sub folder.  I stumbled upon the problem because I found a
> folder whereby a user had granted the everyone group full rights.  I
> knew none of the domain admins would do that.  After talking with the
> owner of the folder, I found out he's been doing it all along.
>
> Wow!  This is a real problem for us because we want to control access
> through groups.  This one user had shared a bunch of folders using
> individual names.  Plus, he had no clue what he was doing and just
> granted everyone full rights.
>
> How in the world do you guys handle this?  Am I missing something?
>
> Thanks, Terri
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[Jonathan Link]

You'll need to get rid of that permission setting in addition to changing
the owner.
Or not.  Your approach is probably enough, too.

On Wed, Jan 13, 2010 at 12:19 PM, James Rankin wrote:

> On the folder they've created, it seems so. Not any of the other folders
> already there though.
>
>  2010/1/13 Jonathan Link 
>
>> Do the users still have full control permission?
>>
>>
>> On Wed, Jan 13, 2010 at 11:57 AM, James Rankin wrote:
>>
>>> It behaves exactly the same (for me anyway) after the permissions are
>>> removed - creating user is named as owner on the security tab and has the
>>> appropriate permissions rights to go with it. And after setting the owner
>>> with subinacl. Digging around in all this is making me glad I've set the
>>> security tab to hidden. I'm considering running the subinacl command as a
>>> scheduled task as well, as I can see multiple owners on parts of my data
>>> structure.
>>>
>>>
>>> 2010/1/13 
>>>
>>>> What about users who create folders after the permissions are removed?
>>>>
>>>> You have to do it from the very beginning, or manually reset the perms
>>>> after the fact as Jonathan has indicated earlier.
>>>>
>>>> There is a special set of rights that are implicitly granted, but the
>>>> removal of Creator/Owner should address that.
>>>>
>>>> I'll test it later today to verify.
>>>>
>>>>
>>>> Sent from my Verizon Wireless BlackBerry
>>>> --
>>>> *From: *James Rankin 
>>>> *Date: *Wed, 13 Jan 2010 16:16:07 +
>>>>   *To: *NT System Admin Issues
>>>> *Subject: *Re: Users Setting NTFS Permissions
>>>>
>>>>  HmmmI've removed it and it is still listing users who have created
>>>> folders as the owner. It's definitely not on the ACL...
>>>>
>>>> 2010/1/13 
>>>>
>>>>> Creator/Owner is inherited and can be removed easily enough. Far easier
>>>>> to maintain.
>>>>>
>>>>> Sent from my Verizon Wireless BlackBerry
>>>>> --
>>>>> *From: *James Rankin 
>>>>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>>>>> *To: *NT System Admin Issues
>>>>>  *Subject: *Re: Users Setting NTFS Permissions
>>>>>
>>>>>  I normally just give the groups RWXD, but the Creator Owner privilege
>>>>> appears by default on newly created folders. Without removing the ability 
>>>>> to
>>>>> create folders and/or run subinacl scripts to take ownership, I find
>>>>> removing the GUI to change the permissions is the easiest option.
>>>>>
>>>>> 2010/1/13 Jonathan Link 
>>>>>
>>>>>> Isn't that just obfuscation?  I thought the ability to change
>>>>>> permissions was granted by the Full Control right.  If that's the case, 
>>>>>> pull
>>>>>> Creator/Owner Full control from your file system and reassign permissions
>>>>>> accordingly.
>>>>>>
>>>>>>
>>>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin 
>>>>>> wrote:
>>>>>>
>>>>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>>>>> servers to Administrators and System only. You can do this with a GPO. 
>>>>>>> The
>>>>>>> user can't access the security tab then and can't change permissions. 
>>>>>>> Unless
>>>>>>> they know how to use cacls. You could lock the permissions on that file 
>>>>>>> as
>>>>>>> well through Group Policy.
>>>>>>>
>>>>>>> 2010/1/13 Terri Esham 
>>>>>>>
>>>>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>>>>> stored on one of the domain controllers through Active Directory
>>>>>>>> groups.  When a new folder is created on the network file server, we
>>>>>>>> grant full permissions to the associated active directory group with
>>>>>>>> the
>>>>>>>> exception of the ability to set and change permissions.
>>>>>>>>
>>>>>>>> We

Re: Users Setting NTFS Permissions

[James Rankin]

On the folder they've created, it seems so. Not any of the other folders
already there though.

2010/1/13 Jonathan Link 

> Do the users still have full control permission?
>
>
> On Wed, Jan 13, 2010 at 11:57 AM, James Rankin wrote:
>
>> It behaves exactly the same (for me anyway) after the permissions are
>> removed - creating user is named as owner on the security tab and has the
>> appropriate permissions rights to go with it. And after setting the owner
>> with subinacl. Digging around in all this is making me glad I've set the
>> security tab to hidden. I'm considering running the subinacl command as a
>> scheduled task as well, as I can see multiple owners on parts of my data
>> structure.
>>
>>
>> 2010/1/13 
>>
>>> What about users who create folders after the permissions are removed?
>>>
>>> You have to do it from the very beginning, or manually reset the perms
>>> after the fact as Jonathan has indicated earlier.
>>>
>>> There is a special set of rights that are implicitly granted, but the
>>> removal of Creator/Owner should address that.
>>>
>>> I'll test it later today to verify.
>>>
>>>
>>> Sent from my Verizon Wireless BlackBerry
>>> --
>>> *From: *James Rankin 
>>> *Date: *Wed, 13 Jan 2010 16:16:07 +
>>>   *To: *NT System Admin Issues
>>> *Subject: *Re: Users Setting NTFS Permissions
>>>
>>>  HmmmI've removed it and it is still listing users who have created
>>> folders as the owner. It's definitely not on the ACL...
>>>
>>> 2010/1/13 
>>>
>>>> Creator/Owner is inherited and can be removed easily enough. Far easier
>>>> to maintain.
>>>>
>>>> Sent from my Verizon Wireless BlackBerry
>>>> --
>>>> *From: *James Rankin 
>>>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>>>> *To: *NT System Admin Issues
>>>>  *Subject: *Re: Users Setting NTFS Permissions
>>>>
>>>>  I normally just give the groups RWXD, but the Creator Owner privilege
>>>> appears by default on newly created folders. Without removing the ability 
>>>> to
>>>> create folders and/or run subinacl scripts to take ownership, I find
>>>> removing the GUI to change the permissions is the easiest option.
>>>>
>>>> 2010/1/13 Jonathan Link 
>>>>
>>>>> Isn't that just obfuscation?  I thought the ability to change
>>>>> permissions was granted by the Full Control right.  If that's the case, 
>>>>> pull
>>>>> Creator/Owner Full control from your file system and reassign permissions
>>>>> accordingly.
>>>>>
>>>>>
>>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin 
>>>>> wrote:
>>>>>
>>>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>>>> servers to Administrators and System only. You can do this with a GPO. 
>>>>>> The
>>>>>> user can't access the security tab then and can't change permissions. 
>>>>>> Unless
>>>>>> they know how to use cacls. You could lock the permissions on that file 
>>>>>> as
>>>>>> well through Group Policy.
>>>>>>
>>>>>> 2010/1/13 Terri Esham 
>>>>>>
>>>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>>>> stored on one of the domain controllers through Active Directory
>>>>>>> groups.  When a new folder is created on the network file server, we
>>>>>>> grant full permissions to the associated active directory group with
>>>>>>> the
>>>>>>> exception of the ability to set and change permissions.
>>>>>>>
>>>>>>> We just discovered that a user can grant permissions to any folder
>>>>>>> that
>>>>>>> they create under the primary folder because they are the folder
>>>>>>> owner.   Obviously, I can change ownership to the domain admin, but
>>>>>>> how
>>>>>>> in the world would I keep up with this.  I've no idea when a user
>>>>>>> might
>>>>>>> create a sub folder.  I stumbled upon the problem because I found a
>

Re: Users Setting NTFS Permissions

[James Rankin]

I'm well aware of that (I have the cacls, xcacls and other commands locked
out too, even if they bring them on a USB stick the application whitelist
and AppSense will stop them). If any of my users can get past the controls I
have, I'd probably try and get them a job in our department :-) Hiding the
GUI stops the casual clickers, who are 99.9% of the problem. You'll never
stop a determined attacker - it's the spotting them and clearing up that's
vital.

2010/1/13 

> The problem is that simply hiding the GUI will not present someone from
> running CACLS or ICACLS which are native depending on you version of the OS.
>
>
> Sure, that requires a level of sophistication, but not that much more than
> a standard user. A google search will put you right there.
>
> Sent from my Verizon Wireless BlackBerry
> --
> *From: * James Rankin 
> *Date: *Wed, 13 Jan 2010 16:57:23 +
> *To: *NT System Admin Issues
> *Subject: *Re: Users Setting NTFS Permissions
>
> It behaves exactly the same (for me anyway) after the permissions are
> removed - creating user is named as owner on the security tab and has the
> appropriate permissions rights to go with it. And after setting the owner
> with subinacl. Digging around in all this is making me glad I've set the
> security tab to hidden. I'm considering running the subinacl command as a
> scheduled task as well, as I can see multiple owners on parts of my data
> structure.
>
> 2010/1/13 
>
>> What about users who create folders after the permissions are removed?
>>
>> You have to do it from the very beginning, or manually reset the perms
>> after the fact as Jonathan has indicated earlier.
>>
>> There is a special set of rights that are implicitly granted, but the
>> removal of Creator/Owner should address that.
>>
>> I'll test it later today to verify.
>>
>>
>> Sent from my Verizon Wireless BlackBerry
>> --
>> *From: * James Rankin 
>> *Date: *Wed, 13 Jan 2010 16:16:07 +
>> *To: *NT System Admin Issues
>> *Subject: *Re: Users Setting NTFS Permissions
>>
>>  HmmmI've removed it and it is still listing users who have created
>> folders as the owner. It's definitely not on the ACL...
>>
>> 2010/1/13 
>>
>>> Creator/Owner is inherited and can be removed easily enough. Far easier
>>> to maintain.
>>>
>>> Sent from my Verizon Wireless BlackBerry
>>> --
>>> *From: * James Rankin 
>>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>>> *To: *NT System Admin Issues
>>> *Subject: *Re: Users Setting NTFS Permissions
>>>
>>> I normally just give the groups RWXD, but the Creator Owner privilege
>>> appears by default on newly created folders. Without removing the ability to
>>> create folders and/or run subinacl scripts to take ownership, I find
>>> removing the GUI to change the permissions is the easiest option.
>>>
>>> 2010/1/13 Jonathan Link 
>>>
>>>> Isn't that just obfuscation?  I thought the ability to change
>>>> permissions was granted by the Full Control right.  If that's the case, 
>>>> pull
>>>> Creator/Owner Full control from your file system and reassign permissions
>>>> accordingly.
>>>>
>>>>
>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>>>
>>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>>> servers to Administrators and System only. You can do this with a GPO. The
>>>>> user can't access the security tab then and can't change permissions. 
>>>>> Unless
>>>>> they know how to use cacls. You could lock the permissions on that file as
>>>>> well through Group Policy.
>>>>>
>>>>> 2010/1/13 Terri Esham 
>>>>>
>>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>>> stored on one of the domain controllers through Active Directory
>>>>>> groups.  When a new folder is created on the network file server, we
>>>>>> grant full permissions to the associated active directory group with
>>>>>> the
>>>>>> exception of the ability to set and change permissions.
>>>>>>
>>>>>> We just discovered that a user can grant permissions to any folder
>>>>>> that
>>>>>> they create under the primary 

Re: Users Setting NTFS Permissions

[Jonathan Link]

Do the users still have full control permission?

On Wed, Jan 13, 2010 at 11:57 AM, James Rankin wrote:

> It behaves exactly the same (for me anyway) after the permissions are
> removed - creating user is named as owner on the security tab and has the
> appropriate permissions rights to go with it. And after setting the owner
> with subinacl. Digging around in all this is making me glad I've set the
> security tab to hidden. I'm considering running the subinacl command as a
> scheduled task as well, as I can see multiple owners on parts of my data
> structure.
>
>
> 2010/1/13 
>
>> What about users who create folders after the permissions are removed?
>>
>> You have to do it from the very beginning, or manually reset the perms
>> after the fact as Jonathan has indicated earlier.
>>
>> There is a special set of rights that are implicitly granted, but the
>> removal of Creator/Owner should address that.
>>
>> I'll test it later today to verify.
>>
>>
>> Sent from my Verizon Wireless BlackBerry
>> --
>> *From: *James Rankin 
>> *Date: *Wed, 13 Jan 2010 16:16:07 +
>>   *To: *NT System Admin Issues
>> *Subject: *Re: Users Setting NTFS Permissions
>>
>>  HmmmI've removed it and it is still listing users who have created
>> folders as the owner. It's definitely not on the ACL...
>>
>> 2010/1/13 
>>
>>> Creator/Owner is inherited and can be removed easily enough. Far easier
>>> to maintain.
>>>
>>> Sent from my Verizon Wireless BlackBerry
>>> --
>>> *From: *James Rankin 
>>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>>> *To: *NT System Admin Issues
>>>  *Subject: *Re: Users Setting NTFS Permissions
>>>
>>>  I normally just give the groups RWXD, but the Creator Owner privilege
>>> appears by default on newly created folders. Without removing the ability to
>>> create folders and/or run subinacl scripts to take ownership, I find
>>> removing the GUI to change the permissions is the easiest option.
>>>
>>> 2010/1/13 Jonathan Link 
>>>
>>>> Isn't that just obfuscation?  I thought the ability to change
>>>> permissions was granted by the Full Control right.  If that's the case, 
>>>> pull
>>>> Creator/Owner Full control from your file system and reassign permissions
>>>> accordingly.
>>>>
>>>>
>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>>>
>>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>>> servers to Administrators and System only. You can do this with a GPO. The
>>>>> user can't access the security tab then and can't change permissions. 
>>>>> Unless
>>>>> they know how to use cacls. You could lock the permissions on that file as
>>>>> well through Group Policy.
>>>>>
>>>>> 2010/1/13 Terri Esham 
>>>>>
>>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>>> stored on one of the domain controllers through Active Directory
>>>>>> groups.  When a new folder is created on the network file server, we
>>>>>> grant full permissions to the associated active directory group with
>>>>>> the
>>>>>> exception of the ability to set and change permissions.
>>>>>>
>>>>>> We just discovered that a user can grant permissions to any folder
>>>>>> that
>>>>>> they create under the primary folder because they are the folder
>>>>>> owner.   Obviously, I can change ownership to the domain admin, but
>>>>>> how
>>>>>> in the world would I keep up with this.  I've no idea when a user
>>>>>> might
>>>>>> create a sub folder.  I stumbled upon the problem because I found a
>>>>>> folder whereby a user had granted the everyone group full rights.  I
>>>>>> knew none of the domain admins would do that.  After talking with the
>>>>>> owner of the folder, I found out he's been doing it all along.
>>>>>>
>>>>>> Wow!  This is a real problem for us because we want to control access
>>>>>> through groups.  This one user had shared a bunch of folders using
>>>>>> individual names.  Plus, he had no clue what he was doing and jus

Re: Users Setting NTFS Permissions

[asbzone]

The problem is that simply hiding the GUI will not present someone from running 
CACLS or ICACLS which are native depending on you version of the OS.  

Sure, that requires a level of sophistication, but not that much more than a 
standard user.   A google search will put you right there.  

Sent from my Verizon Wireless BlackBerry

-Original Message-
From: James Rankin 
Date: Wed, 13 Jan 2010 16:57:23 
To: NT System Admin Issues
Subject: Re: Users Setting NTFS Permissions

It behaves exactly the same (for me anyway) after the permissions are
removed - creating user is named as owner on the security tab and has the
appropriate permissions rights to go with it. And after setting the owner
with subinacl. Digging around in all this is making me glad I've set the
security tab to hidden. I'm considering running the subinacl command as a
scheduled task as well, as I can see multiple owners on parts of my data
structure.

2010/1/13 

> What about users who create folders after the permissions are removed?
>
> You have to do it from the very beginning, or manually reset the perms
> after the fact as Jonathan has indicated earlier.
>
> There is a special set of rights that are implicitly granted, but the
> removal of Creator/Owner should address that.
>
> I'll test it later today to verify.
>
>
> Sent from my Verizon Wireless BlackBerry
> --
> *From: * James Rankin 
> *Date: *Wed, 13 Jan 2010 16:16:07 +
> *To: *NT System Admin Issues
> *Subject: *Re: Users Setting NTFS Permissions
>
>  HmmmI've removed it and it is still listing users who have created
> folders as the owner. It's definitely not on the ACL...
>
> 2010/1/13 
>
>> Creator/Owner is inherited and can be removed easily enough. Far easier to
>> maintain.
>>
>> Sent from my Verizon Wireless BlackBerry
>> --
>> *From: * James Rankin 
>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>> *To: *NT System Admin Issues
>> *Subject: *Re: Users Setting NTFS Permissions
>>
>> I normally just give the groups RWXD, but the Creator Owner privilege
>> appears by default on newly created folders. Without removing the ability to
>> create folders and/or run subinacl scripts to take ownership, I find
>> removing the GUI to change the permissions is the easiest option.
>>
>> 2010/1/13 Jonathan Link 
>>
>>> Isn't that just obfuscation?  I thought the ability to change permissions
>>> was granted by the Full Control right.  If that's the case, pull
>>> Creator/Owner Full control from your file system and reassign permissions
>>> accordingly.
>>>
>>>
>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>>
>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>> servers to Administrators and System only. You can do this with a GPO. The
>>>> user can't access the security tab then and can't change permissions. 
>>>> Unless
>>>> they know how to use cacls. You could lock the permissions on that file as
>>>> well through Group Policy.
>>>>
>>>> 2010/1/13 Terri Esham 
>>>>
>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>> stored on one of the domain controllers through Active Directory
>>>>> groups.  When a new folder is created on the network file server, we
>>>>> grant full permissions to the associated active directory group with
>>>>> the
>>>>> exception of the ability to set and change permissions.
>>>>>
>>>>> We just discovered that a user can grant permissions to any folder that
>>>>> they create under the primary folder because they are the folder
>>>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>>>> in the world would I keep up with this.  I've no idea when a user might
>>>>> create a sub folder.  I stumbled upon the problem because I found a
>>>>> folder whereby a user had granted the everyone group full rights.  I
>>>>> knew none of the domain admins would do that.  After talking with the
>>>>> owner of the folder, I found out he's been doing it all along.
>>>>>
>>>>> Wow!  This is a real problem for us because we want to control access
>>>>> through groups.  This one user had shared a bunch of folders using
>>>>> individual names.  Plus, he had no clue what he was doing and just
>>>>> granted everyone full rights.
>>>>

Re: Users Setting NTFS Permissions

[James Rankin]

It behaves exactly the same (for me anyway) after the permissions are
removed - creating user is named as owner on the security tab and has the
appropriate permissions rights to go with it. And after setting the owner
with subinacl. Digging around in all this is making me glad I've set the
security tab to hidden. I'm considering running the subinacl command as a
scheduled task as well, as I can see multiple owners on parts of my data
structure.

2010/1/13 

> What about users who create folders after the permissions are removed?
>
> You have to do it from the very beginning, or manually reset the perms
> after the fact as Jonathan has indicated earlier.
>
> There is a special set of rights that are implicitly granted, but the
> removal of Creator/Owner should address that.
>
> I'll test it later today to verify.
>
>
> Sent from my Verizon Wireless BlackBerry
> --
> *From: * James Rankin 
> *Date: *Wed, 13 Jan 2010 16:16:07 +
> *To: *NT System Admin Issues
> *Subject: *Re: Users Setting NTFS Permissions
>
>  HmmmI've removed it and it is still listing users who have created
> folders as the owner. It's definitely not on the ACL...
>
> 2010/1/13 
>
>> Creator/Owner is inherited and can be removed easily enough. Far easier to
>> maintain.
>>
>> Sent from my Verizon Wireless BlackBerry
>> --
>> *From: * James Rankin 
>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>> *To: *NT System Admin Issues
>> *Subject: *Re: Users Setting NTFS Permissions
>>
>> I normally just give the groups RWXD, but the Creator Owner privilege
>> appears by default on newly created folders. Without removing the ability to
>> create folders and/or run subinacl scripts to take ownership, I find
>> removing the GUI to change the permissions is the easiest option.
>>
>> 2010/1/13 Jonathan Link 
>>
>>> Isn't that just obfuscation?  I thought the ability to change permissions
>>> was granted by the Full Control right.  If that's the case, pull
>>> Creator/Owner Full control from your file system and reassign permissions
>>> accordingly.
>>>
>>>
>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>>
>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>> servers to Administrators and System only. You can do this with a GPO. The
>>>> user can't access the security tab then and can't change permissions. 
>>>> Unless
>>>> they know how to use cacls. You could lock the permissions on that file as
>>>> well through Group Policy.
>>>>
>>>> 2010/1/13 Terri Esham 
>>>>
>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>> stored on one of the domain controllers through Active Directory
>>>>> groups.  When a new folder is created on the network file server, we
>>>>> grant full permissions to the associated active directory group with
>>>>> the
>>>>> exception of the ability to set and change permissions.
>>>>>
>>>>> We just discovered that a user can grant permissions to any folder that
>>>>> they create under the primary folder because they are the folder
>>>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>>>> in the world would I keep up with this.  I've no idea when a user might
>>>>> create a sub folder.  I stumbled upon the problem because I found a
>>>>> folder whereby a user had granted the everyone group full rights.  I
>>>>> knew none of the domain admins would do that.  After talking with the
>>>>> owner of the folder, I found out he's been doing it all along.
>>>>>
>>>>> Wow!  This is a real problem for us because we want to control access
>>>>> through groups.  This one user had shared a bunch of folders using
>>>>> individual names.  Plus, he had no clue what he was doing and just
>>>>> granted everyone full rights.
>>>>>
>>>>> How in the world do you guys handle this?  Am I missing something?
>>>>>
>>>>> Thanks, Terri
>>>>>
>>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> "On two occasions...I

Re: Users Setting NTFS Permissions

[asbzone]

What about users who create folders after the permissions are removed?

You have to do it from the very beginning, or manually reset the perms after 
the fact as Jonathan has indicated earlier. 

There is a special set of rights that are implicitly granted, but the removal 
of Creator/Owner should address that.   

I'll test it later today to verify. 



Sent from my Verizon Wireless BlackBerry

-Original Message-
From: James Rankin 
Date: Wed, 13 Jan 2010 16:16:07 
To: NT System Admin Issues
Subject: Re: Users Setting NTFS Permissions

 HmmmI've removed it and it is still listing users who have created
folders as the owner. It's definitely not on the ACL...

2010/1/13 

> Creator/Owner is inherited and can be removed easily enough. Far easier to
> maintain.
>
> Sent from my Verizon Wireless BlackBerry
> --
> *From: * James Rankin 
> *Date: *Wed, 13 Jan 2010 13:20:52 +
> *To: *NT System Admin Issues
> *Subject: *Re: Users Setting NTFS Permissions
>
> I normally just give the groups RWXD, but the Creator Owner privilege
> appears by default on newly created folders. Without removing the ability to
> create folders and/or run subinacl scripts to take ownership, I find
> removing the GUI to change the permissions is the easiest option.
>
> 2010/1/13 Jonathan Link 
>
>> Isn't that just obfuscation?  I thought the ability to change permissions
>> was granted by the Full Control right.  If that's the case, pull
>> Creator/Owner Full control from your file system and reassign permissions
>> accordingly.
>>
>>
>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>
>>> Prevent access to the rshx32.dll file on all your workstations and
>>> servers to Administrators and System only. You can do this with a GPO. The
>>> user can't access the security tab then and can't change permissions. Unless
>>> they know how to use cacls. You could lock the permissions on that file as
>>> well through Group Policy.
>>>
>>> 2010/1/13 Terri Esham 
>>>
>>> We have a Windows 2008 Domain whereby we control access to folders
>>>> stored on one of the domain controllers through Active Directory
>>>> groups.  When a new folder is created on the network file server, we
>>>> grant full permissions to the associated active directory group with the
>>>> exception of the ability to set and change permissions.
>>>>
>>>> We just discovered that a user can grant permissions to any folder that
>>>> they create under the primary folder because they are the folder
>>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>>> in the world would I keep up with this.  I've no idea when a user might
>>>> create a sub folder.  I stumbled upon the problem because I found a
>>>> folder whereby a user had granted the everyone group full rights.  I
>>>> knew none of the domain admins would do that.  After talking with the
>>>> owner of the folder, I found out he's been doing it all along.
>>>>
>>>> Wow!  This is a real problem for us because we want to control access
>>>> through groups.  This one user had shared a bunch of folders using
>>>> individual names.  Plus, he had no clue what he was doing and just
>>>> granted everyone full rights.
>>>>
>>>> How in the world do you guys handle this?  Am I missing something?
>>>>
>>>> Thanks, Terri
>>>>
>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>>
>>>
>>>
>>>
>>> --
>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>>> the machine wrong figures, will the right answers come out?' I am not able
>>> rightly to apprehend the kind of confusion of ideas that could provoke such
>>> a question."
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
>
>
>
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Users Setting NTFS Permissions

[Jonathan Link]

Oh, test to make sure it doesn't alter the ntfs permissiosn too.  IT was so
long ago that I used this that I can't remember if I had other issues.

On Wed, Jan 13, 2010 at 11:23 AM, Jonathan Link wrote:

>  I'm sorry, I misremembered.  I only had to do this once, and it was
> enough to always remember to remove the Creator/Owner from every data drive
> forevermore.
>
> To take ownership you need subinacl available in one of the resource kits.
>
> Syntax is subinacl /subdirectories :\\*.*
> /setowner=domain\
>
>
>
>   On Wed, Jan 13, 2010 at 11:16 AM, James Rankin wrote:
>
>>  HmmmI've removed it and it is still listing users who have created
>> folders as the owner. It's definitely not on the ACL...
>>
>> 2010/1/13 
>>
>> Creator/Owner is inherited and can be removed easily enough. Far easier to
>>> maintain.
>>>
>>> Sent from my Verizon Wireless BlackBerry
>>> --
>>> *From: *James Rankin 
>>> *Date: *Wed, 13 Jan 2010 13:20:52 +
>>> *To: *NT System Admin Issues
>>>  *Subject: *Re: Users Setting NTFS Permissions
>>>
>>>  I normally just give the groups RWXD, but the Creator Owner privilege
>>> appears by default on newly created folders. Without removing the ability to
>>> create folders and/or run subinacl scripts to take ownership, I find
>>> removing the GUI to change the permissions is the easiest option.
>>>
>>> 2010/1/13 Jonathan Link 
>>>
>>>> Isn't that just obfuscation?  I thought the ability to change
>>>> permissions was granted by the Full Control right.  If that's the case, 
>>>> pull
>>>> Creator/Owner Full control from your file system and reassign permissions
>>>> accordingly.
>>>>
>>>>
>>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>>>
>>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>>> servers to Administrators and System only. You can do this with a GPO. The
>>>>> user can't access the security tab then and can't change permissions. 
>>>>> Unless
>>>>> they know how to use cacls. You could lock the permissions on that file as
>>>>> well through Group Policy.
>>>>>
>>>>> 2010/1/13 Terri Esham 
>>>>>
>>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>>> stored on one of the domain controllers through Active Directory
>>>>>> groups.  When a new folder is created on the network file server, we
>>>>>> grant full permissions to the associated active directory group with
>>>>>> the
>>>>>> exception of the ability to set and change permissions.
>>>>>>
>>>>>> We just discovered that a user can grant permissions to any folder
>>>>>> that
>>>>>> they create under the primary folder because they are the folder
>>>>>> owner.   Obviously, I can change ownership to the domain admin, but
>>>>>> how
>>>>>> in the world would I keep up with this.  I've no idea when a user
>>>>>> might
>>>>>> create a sub folder.  I stumbled upon the problem because I found a
>>>>>> folder whereby a user had granted the everyone group full rights.  I
>>>>>> knew none of the domain admins would do that.  After talking with the
>>>>>> owner of the folder, I found out he's been doing it all along.
>>>>>>
>>>>>> Wow!  This is a real problem for us because we want to control access
>>>>>> through groups.  This one user had shared a bunch of folders using
>>>>>> individual names.  Plus, he had no clue what he was doing and just
>>>>>> granted everyone full rights.
>>>>>>
>>>>>> How in the world do you guys handle this?  Am I missing something?
>>>>>>
>>>>>> Thanks, Terri
>>>>>>
>>>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
>>>>> into the machine wrong figures, will the right answers come out?' I am not
>>>>> able rightly to apprehend the kind of confusion of ideas that could 
>>>>> provoke
>>>>> such a question."
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>>> the machine wrong figures, will the right answers come out?' I am not able
>>> rightly to apprehend the kind of confusion of ideas that could provoke such
>>> a question."
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>> the machine wrong figures, will the right answers come out?' I am not able
>> rightly to apprehend the kind of confusion of ideas that could provoke such
>> a question."
>>
>>
>>
>>
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Users Setting NTFS Permissions

[Jonathan Link]

I'm sorry, I misremembered.  I only had to do this once, and it was enough
to always remember to remove the Creator/Owner from every data drive
forevermore.

To take ownership you need subinacl available in one of the resource kits.
Syntax is subinacl /subdirectories :\\*.*
/setowner=domain\



On Wed, Jan 13, 2010 at 11:16 AM, James Rankin wrote:

>  HmmmI've removed it and it is still listing users who have created
> folders as the owner. It's definitely not on the ACL...
>
> 2010/1/13 
>
> Creator/Owner is inherited and can be removed easily enough. Far easier to
>> maintain.
>>
>> Sent from my Verizon Wireless BlackBerry
>> --
>> *From: *James Rankin 
>> *Date: *Wed, 13 Jan 2010 13:20:52 +0000
>> *To: *NT System Admin Issues
>>  *Subject: *Re: Users Setting NTFS Permissions
>>
>>  I normally just give the groups RWXD, but the Creator Owner privilege
>> appears by default on newly created folders. Without removing the ability to
>> create folders and/or run subinacl scripts to take ownership, I find
>> removing the GUI to change the permissions is the easiest option.
>>
>> 2010/1/13 Jonathan Link 
>>
>>> Isn't that just obfuscation?  I thought the ability to change permissions
>>> was granted by the Full Control right.  If that's the case, pull
>>> Creator/Owner Full control from your file system and reassign permissions
>>> accordingly.
>>>
>>>
>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>>
>>>> Prevent access to the rshx32.dll file on all your workstations and
>>>> servers to Administrators and System only. You can do this with a GPO. The
>>>> user can't access the security tab then and can't change permissions. 
>>>> Unless
>>>> they know how to use cacls. You could lock the permissions on that file as
>>>> well through Group Policy.
>>>>
>>>> 2010/1/13 Terri Esham 
>>>>
>>>> We have a Windows 2008 Domain whereby we control access to folders
>>>>> stored on one of the domain controllers through Active Directory
>>>>> groups.  When a new folder is created on the network file server, we
>>>>> grant full permissions to the associated active directory group with
>>>>> the
>>>>> exception of the ability to set and change permissions.
>>>>>
>>>>> We just discovered that a user can grant permissions to any folder that
>>>>> they create under the primary folder because they are the folder
>>>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>>>> in the world would I keep up with this.  I've no idea when a user might
>>>>> create a sub folder.  I stumbled upon the problem because I found a
>>>>> folder whereby a user had granted the everyone group full rights.  I
>>>>> knew none of the domain admins would do that.  After talking with the
>>>>> owner of the folder, I found out he's been doing it all along.
>>>>>
>>>>> Wow!  This is a real problem for us because we want to control access
>>>>> through groups.  This one user had shared a bunch of folders using
>>>>> individual names.  Plus, he had no clue what he was doing and just
>>>>> granted everyone full rights.
>>>>>
>>>>> How in the world do you guys handle this?  Am I missing something?
>>>>>
>>>>> Thanks, Terri
>>>>>
>>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
>>>> into the machine wrong figures, will the right answers come out?' I am not
>>>> able rightly to apprehend the kind of confusion of ideas that could provoke
>>>> such a question."
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>> the machine wrong figures, will the right answers come out?' I am not able
>> rightly to apprehend the kind of confusion of ideas that could provoke such
>> a question."
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Users Setting NTFS Permissions

[James Rankin]

 HmmmI've removed it and it is still listing users who have created
folders as the owner. It's definitely not on the ACL...

2010/1/13 

> Creator/Owner is inherited and can be removed easily enough. Far easier to
> maintain.
>
> Sent from my Verizon Wireless BlackBerry
> --
> *From: * James Rankin 
> *Date: *Wed, 13 Jan 2010 13:20:52 +
> *To: *NT System Admin Issues
> *Subject: *Re: Users Setting NTFS Permissions
>
> I normally just give the groups RWXD, but the Creator Owner privilege
> appears by default on newly created folders. Without removing the ability to
> create folders and/or run subinacl scripts to take ownership, I find
> removing the GUI to change the permissions is the easiest option.
>
> 2010/1/13 Jonathan Link 
>
>> Isn't that just obfuscation?  I thought the ability to change permissions
>> was granted by the Full Control right.  If that's the case, pull
>> Creator/Owner Full control from your file system and reassign permissions
>> accordingly.
>>
>>
>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>
>>> Prevent access to the rshx32.dll file on all your workstations and
>>> servers to Administrators and System only. You can do this with a GPO. The
>>> user can't access the security tab then and can't change permissions. Unless
>>> they know how to use cacls. You could lock the permissions on that file as
>>> well through Group Policy.
>>>
>>> 2010/1/13 Terri Esham 
>>>
>>> We have a Windows 2008 Domain whereby we control access to folders
>>>> stored on one of the domain controllers through Active Directory
>>>> groups.  When a new folder is created on the network file server, we
>>>> grant full permissions to the associated active directory group with the
>>>> exception of the ability to set and change permissions.
>>>>
>>>> We just discovered that a user can grant permissions to any folder that
>>>> they create under the primary folder because they are the folder
>>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>>> in the world would I keep up with this.  I've no idea when a user might
>>>> create a sub folder.  I stumbled upon the problem because I found a
>>>> folder whereby a user had granted the everyone group full rights.  I
>>>> knew none of the domain admins would do that.  After talking with the
>>>> owner of the folder, I found out he's been doing it all along.
>>>>
>>>> Wow!  This is a real problem for us because we want to control access
>>>> through groups.  This one user had shared a bunch of folders using
>>>> individual names.  Plus, he had no clue what he was doing and just
>>>> granted everyone full rights.
>>>>
>>>> How in the world do you guys handle this?  Am I missing something?
>>>>
>>>> Thanks, Terri
>>>>
>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>>
>>>
>>>
>>>
>>> --
>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>>> the machine wrong figures, will the right answers come out?' I am not able
>>> rightly to apprehend the kind of confusion of ideas that could provoke such
>>> a question."
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
>
>
>
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Users Setting NTFS Permissions

[asbzone]

Creator/Owner is inherited and can be removed easily enough.  Far easier to 
maintain. 

Sent from my Verizon Wireless BlackBerry

-Original Message-
From: James Rankin 
Date: Wed, 13 Jan 2010 13:20:52 
To: NT System Admin Issues
Subject: Re: Users Setting NTFS Permissions

I normally just give the groups RWXD, but the Creator Owner privilege
appears by default on newly created folders. Without removing the ability to
create folders and/or run subinacl scripts to take ownership, I find
removing the GUI to change the permissions is the easiest option.

2010/1/13 Jonathan Link 

> Isn't that just obfuscation?  I thought the ability to change permissions
> was granted by the Full Control right.  If that's the case, pull
> Creator/Owner Full control from your file system and reassign permissions
> accordingly.
>
>
> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>
>> Prevent access to the rshx32.dll file on all your workstations and servers
>> to Administrators and System only. You can do this with a GPO. The user
>> can't access the security tab then and can't change permissions. Unless they
>> know how to use cacls. You could lock the permissions on that file as well
>> through Group Policy.
>>
>> 2010/1/13 Terri Esham 
>>
>> We have a Windows 2008 Domain whereby we control access to folders
>>> stored on one of the domain controllers through Active Directory
>>> groups.  When a new folder is created on the network file server, we
>>> grant full permissions to the associated active directory group with the
>>> exception of the ability to set and change permissions.
>>>
>>> We just discovered that a user can grant permissions to any folder that
>>> they create under the primary folder because they are the folder
>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>> in the world would I keep up with this.  I've no idea when a user might
>>> create a sub folder.  I stumbled upon the problem because I found a
>>> folder whereby a user had granted the everyone group full rights.  I
>>> knew none of the domain admins would do that.  After talking with the
>>> owner of the folder, I found out he's been doing it all along.
>>>
>>> Wow!  This is a real problem for us because we want to control access
>>> through groups.  This one user had shared a bunch of folders using
>>> individual names.  Plus, he had no clue what he was doing and just
>>> granted everyone full rights.
>>>
>>> How in the world do you guys handle this?  Am I missing something?
>>>
>>> Thanks, Terri
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>
>>
>>
>> --
>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>> the machine wrong figures, will the right answers come out?' I am not able
>> rightly to apprehend the kind of confusion of ideas that could provoke such
>> a question."
>>
>>
>>
>>
>>
>>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Users Setting NTFS Permissions

[Jonathan Link]

Well, this is where it gets complex.  In my experience, pulling it from the
parent folder doesn't always set the permissions, especially if the
permissions are different for any child folders, which is common for a user
folder structure.  To effectively remove it it you'll need to use cacls or
xcacls.

cacls foldername /t /e /r "creator owner" should do it, substituting your
folder path for foldername.  It will recursively remove the creator owner
from the entire directory structure, leaving your other acls intact.

On Wed, Jan 13, 2010 at 10:22 AM, Terri Esham  wrote:

> The Creator Owner was already removed under the Security tab so that isn't
> enough to stop the user from creating a new folder and granting rights.
> What now?
>
> Terri
>
> James Rankin said the following on 1/13/2010 10:12 AM:
>
> Check the ACL at the highest level you want to go, remove Creator/Owner
> from the list of security permissions, and ensure that the change propagates
> down from the parent
>
> Better idea (if you can, never tried) is to remove it using cacls and the
> /e switch I would think
>
> 2010/1/13 Terri Esham 
>
>> How do you remove creator/owner?
>>
>> Thanks, Terri
>>
>> James Winzenz said the following on 1/13/2010 9:06 AM:
>>
>> This is what we do - we remove Creator/Owner when the server is set up,
>> don't have to worry about it after that.
>>
>> Thanks,
>>
>> James Winzenz
>>
>>
>>
>>
>> --
>> Date: Wed, 13 Jan 2010 08:41:33 -0500
>> Subject: Re: Users Setting NTFS Permissions
>> From: jonathan.l...@gmail.com
>> To: ntsysadmin@lyris.sunbelt-software.com
>>
>> That's because the parent folder has creator/owner permissions and any
>> newly created folder is inheriting the permission from the parent..  In my
>> FS where I've removed creator/owner from the parentI don't see this
>> behavior.
>>
>> On Wed, Jan 13, 2010 at 8:20 AM, James Rankin wrote:
>>
>> I normally just give the groups RWXD, but the Creator Owner privilege
>> appears by default on newly created folders. Without removing the ability to
>> create folders and/or run subinacl scripts to take ownership, I find
>> removing the GUI to change the permissions is the easiest option.
>>
>> 2010/1/13 Jonathan Link 
>>
>> Isn't that just obfuscation?  I thought the ability to change permissions
>> was granted by the Full Control right.  If that's the case, pull
>> Creator/Owner Full control from your file system and reassign permissions
>> accordingly.
>>
>>
>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>
>> Prevent access to the rshx32.dll file on all your workstations and servers
>> to Administrators and System only. You can do this with a GPO. The user
>> can't access the security tab then and can't change permissions. Unless they
>> know how to use cacls. You could lock the permissions on that file as well
>> through Group Policy.
>>
>> 2010/1/13 Terri Esham 
>>
>> We have a Windows 2008 Domain whereby we control access to folders
>> stored on one of the domain controllers through Active Directory
>> groups.  When a new folder is created on the network file server, we
>> grant full permissions to the associated active directory group with the
>> exception of the ability to set and change permissions.
>>
>> We just discovered that a user can grant permissions to any folder that
>> they create under the primary folder because they are the folder
>> owner.   Obviously, I can change ownership to the domain admin, but how
>> in the world would I keep up with this.  I've no idea when a user might
>> create a sub folder.  I stumbled upon the problem because I found a
>> folder whereby a user had granted the everyone group full rights.  I
>> knew none of the domain admins would do that.  After talking with the
>> owner of the folder, I found out he's been doing it all along.
>>
>> Wow!  This is a real problem for us because we want to control access
>> through groups.  This one user had shared a bunch of folders using
>> individual names.  Plus, he had no clue what he was doing and just
>> granted everyone full rights.
>>
>> How in the world do you guys handle this?  Am I missing something?
>>
>> Thanks, Terri
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>>
>>
>>
>> --
>> "On two occasions..

Re: Users Setting NTFS Permissions

[James Rankin]

OK...learning more new stuff...indeed Creator Owner appears to be applied,
even though it's not on the ACL, because as Terri says the user creating the
folder can indeed modify the permissions (I've just tested on my Windows
2003 file server and can concur). If you look on the Owner tab on the new
folder, the creating user is definitely listed as the owner and as such
obviously inherits the Creator Owner permission.

I think restricting the permissions on rshx32.dll is the best way forward.
That way users can't even access the Security tab under Properties. I don't
know how you'd go about ensuring that newly-created folders don't get this
"hidden" Creator Owner privilege, save a script that takes ownership of file
structures at predetermined intervals (*subinacl *is one tool offhand I've
used for doing this). They certainly inherit their base NTFS permissions
from the parent, but the user creating it definitely has the permissions to
Change Permissions even though they aren't explicitly defined on the ACL.

I use a Group Policy Registry permission to set the security on the
rshx32.dll file. It definitely stops my users messing with creative
permissions sets.

2010/1/13 Terri Esham 

>  The Creator Owner was already removed under the Security tab so that isn't
> enough to stop the user from creating a new folder and granting rights.
> What now?
>
> Terri
>
> James Rankin said the following on 1/13/2010 10:12 AM:
>
> Check the ACL at the highest level you want to go, remove Creator/Owner
> from the list of security permissions, and ensure that the change propagates
> down from the parent
>
> Better idea (if you can, never tried) is to remove it using cacls and the
> /e switch I would think
>
> 2010/1/13 Terri Esham 
>
>> How do you remove creator/owner?
>>
>> Thanks, Terri
>>
>> James Winzenz said the following on 1/13/2010 9:06 AM:
>>
>> This is what we do - we remove Creator/Owner when the server is set up,
>> don't have to worry about it after that.
>>
>> Thanks,
>>
>> James Winzenz
>>
>>
>>
>>
>> --
>> Date: Wed, 13 Jan 2010 08:41:33 -0500
>> Subject: Re: Users Setting NTFS Permissions
>> From: jonathan.l...@gmail.com
>> To: ntsysadmin@lyris.sunbelt-software.com
>>
>> That's because the parent folder has creator/owner permissions and any
>> newly created folder is inheriting the permission from the parent..  In my
>> FS where I've removed creator/owner from the parentI don't see this
>> behavior.
>>
>> On Wed, Jan 13, 2010 at 8:20 AM, James Rankin wrote:
>>
>> I normally just give the groups RWXD, but the Creator Owner privilege
>> appears by default on newly created folders. Without removing the ability to
>> create folders and/or run subinacl scripts to take ownership, I find
>> removing the GUI to change the permissions is the easiest option.
>>
>> 2010/1/13 Jonathan Link 
>>
>> Isn't that just obfuscation?  I thought the ability to change permissions
>> was granted by the Full Control right.  If that's the case, pull
>> Creator/Owner Full control from your file system and reassign permissions
>> accordingly.
>>
>>
>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>
>> Prevent access to the rshx32.dll file on all your workstations and servers
>> to Administrators and System only. You can do this with a GPO. The user
>> can't access the security tab then and can't change permissions. Unless they
>> know how to use cacls. You could lock the permissions on that file as well
>> through Group Policy.
>>
>> 2010/1/13 Terri Esham 
>>
>> We have a Windows 2008 Domain whereby we control access to folders
>> stored on one of the domain controllers through Active Directory
>> groups.  When a new folder is created on the network file server, we
>> grant full permissions to the associated active directory group with the
>> exception of the ability to set and change permissions.
>>
>> We just discovered that a user can grant permissions to any folder that
>> they create under the primary folder because they are the folder
>> owner.   Obviously, I can change ownership to the domain admin, but how
>> in the world would I keep up with this.  I've no idea when a user might
>> create a sub folder.  I stumbled upon the problem because I found a
>> folder whereby a user had granted the everyone group full rights.  I
>> knew none of the domain admins would do that.  After talking with the
>> owner of the folder, I found out he's been doing it 

Re: Users Setting NTFS Permissions

[Terri Esham]

The Creator Owner was already removed under the Security tab so that
isn't enough to stop the user from creating a new folder and granting
rights.  What now?

Terri

James Rankin said the following on 1/13/2010 10:12 AM:
> Check the ACL at the highest level you want to go, remove
> Creator/Owner from the list of security permissions, and ensure that
> the change propagates down from the parent
>
> Better idea (if you can, never tried) is to remove it using cacls and
> the /e switch I would think
>
> 2010/1/13 Terri Esham mailto:terri.es...@noaa.gov>>
>
> How do you remove creator/owner?
>
> Thanks, Terri
>
> James Winzenz said the following on 1/13/2010 9:06 AM:
>> This is what we do - we remove Creator/Owner when the server is
>> set up, don't have to worry about it after that.
>>
>> Thanks,
>>  
>> James Winzenz
>>
>>
>>
>>  
>> ----
>> Date: Wed, 13 Jan 2010 08:41:33 -0500
>> Subject: Re: Users Setting NTFS Permissions
>> From: jonathan.l...@gmail.com <mailto:jonathan.l...@gmail.com>
>> To: ntsysadmin@lyris.sunbelt-software.com
>> <mailto:ntsysadmin@lyris.sunbelt-software.com>
>>
>> That's because the parent folder has creator/owner permissions
>> and any newly created folder is inheriting the permission from
>> the parent..  In my FS where I've removed creator/owner from the
>> parentI don't see this behavior.
>>
>> On Wed, Jan 13, 2010 at 8:20 AM, James Rankin
>> mailto:kz2...@googlemail.com>> wrote:
>>
>> I normally just give the groups RWXD, but the Creator Owner
>> privilege appears by default on newly created folders.
>> Without removing the ability to create folders and/or run
>> subinacl scripts to take ownership, I find removing the GUI
>> to change the permissions is the easiest option.
>>
>> 2010/1/13 Jonathan Link > <mailto:jonathan.l...@gmail.com>>
>>
>> Isn't that just obfuscation?  I thought the ability to
>> change permissions was granted by the Full Control
>> right.  If that's the case, pull Creator/Owner Full
>> control from your file system and reassign permissions
>> accordingly.
>>
>>
>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin
>> mailto:kz2...@googlemail.com>> wrote:
>>
>> Prevent access to the rshx32.dll file on all your
>> workstations and servers to Administrators and System
>> only. You can do this with a GPO. The user can't
>> access the security tab then and can't change
>> permissions. Unless they know how to use cacls. You
>> could lock the permissions on that file as well
>> through Group Policy.
>>
>> 2010/1/13 Terri Esham > <mailto:terri.es...@noaa.gov>>
>>
>> We have a Windows 2008 Domain whereby we control
>> access to folders
>> stored on one of the domain controllers through
>> Active Directory
>> groups.  When a new folder is created on the
>> network file server, we
>> grant full permissions to the associated active
>> directory group with the
>> exception of the ability to set and change
>> permissions.
>>
>> We just discovered that a user can grant
>> permissions to any folder that
>> they create under the primary folder because they
>> are the folder
>> owner.   Obviously, I can change ownership to the
>> domain admin, but how
>> in the world would I keep up with this.  I've no
>> idea when a user might
>> create a sub folder.  I stumbled upon the problem
>> because I found a
>> folder whereby a user had granted the everyone
>> group full rights.  I
>> knew none of the domain admins would do that.
>>  After talking with the
>>

Re: Users Setting NTFS Permissions

[James Rankin]

Check the ACL at the highest level you want to go, remove Creator/Owner from
the list of security permissions, and ensure that the change propagates down
from the parent

Better idea (if you can, never tried) is to remove it using cacls and the /e
switch I would think

2010/1/13 Terri Esham 

>  How do you remove creator/owner?
>
> Thanks, Terri
>
> James Winzenz said the following on 1/13/2010 9:06 AM:
>
> This is what we do - we remove Creator/Owner when the server is set up,
> don't have to worry about it after that.
>
> Thanks,
>
> James Winzenz
>
>
>
>
> --
> Date: Wed, 13 Jan 2010 08:41:33 -0500
> Subject: Re: Users Setting NTFS Permissions
> From: jonathan.l...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
>
> That's because the parent folder has creator/owner permissions and any
> newly created folder is inheriting the permission from the parent..  In my
> FS where I've removed creator/owner from the parentI don't see this
> behavior.
>
> On Wed, Jan 13, 2010 at 8:20 AM, James Rankin wrote:
>
> I normally just give the groups RWXD, but the Creator Owner privilege
> appears by default on newly created folders. Without removing the ability to
> create folders and/or run subinacl scripts to take ownership, I find
> removing the GUI to change the permissions is the easiest option.
>
> 2010/1/13 Jonathan Link 
>
> Isn't that just obfuscation?  I thought the ability to change permissions
> was granted by the Full Control right.  If that's the case, pull
> Creator/Owner Full control from your file system and reassign permissions
> accordingly.
>
>
> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>
> Prevent access to the rshx32.dll file on all your workstations and servers
> to Administrators and System only. You can do this with a GPO. The user
> can't access the security tab then and can't change permissions. Unless they
> know how to use cacls. You could lock the permissions on that file as well
> through Group Policy.
>
> 2010/1/13 Terri Esham 
>
> We have a Windows 2008 Domain whereby we control access to folders
> stored on one of the domain controllers through Active Directory
> groups.  When a new folder is created on the network file server, we
> grant full permissions to the associated active directory group with the
> exception of the ability to set and change permissions.
>
> We just discovered that a user can grant permissions to any folder that
> they create under the primary folder because they are the folder
> owner.   Obviously, I can change ownership to the domain admin, but how
> in the world would I keep up with this.  I've no idea when a user might
> create a sub folder.  I stumbled upon the problem because I found a
> folder whereby a user had granted the everyone group full rights.  I
> knew none of the domain admins would do that.  After talking with the
> owner of the folder, I found out he's been doing it all along.
>
> Wow!  This is a real problem for us because we want to control access
> through groups.  This one user had shared a bunch of folders using
> individual names.  Plus, he had no clue what he was doing and just
> granted everyone full rights.
>
> How in the world do you guys handle this?  Am I missing something?
>
> Thanks, Terri
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>  --
> Hotmail: Trusted email with powerful SPAM protection. Sign up 
> now.<http://clk.atdmt.com/GBL/go/196390707/direct/01/>
>
>
>
>
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Users Setting NTFS Permissions

[Terri Esham]

How do you remove creator/owner?

Thanks, Terri

James Winzenz said the following on 1/13/2010 9:06 AM:
> This is what we do - we remove Creator/Owner when the server is set
> up, don't have to worry about it after that.
>
> Thanks,
>  
> James Winzenz
>
>
>
>  
> 
> Date: Wed, 13 Jan 2010 08:41:33 -0500
> Subject: Re: Users Setting NTFS Permissions
> From: jonathan.l...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
>
> That's because the parent folder has creator/owner permissions and any
> newly created folder is inheriting the permission from the parent.. 
> In my FS where I've removed creator/owner from the parentI don't see
> this behavior.
>
> On Wed, Jan 13, 2010 at 8:20 AM, James Rankin  <mailto:kz2...@googlemail.com>> wrote:
>
> I normally just give the groups RWXD, but the Creator Owner
> privilege appears by default on newly created folders. Without
> removing the ability to create folders and/or run subinacl scripts
> to take ownership, I find removing the GUI to change the
> permissions is the easiest option.
>
> 2010/1/13 Jonathan Link  <mailto:jonathan.l...@gmail.com>>
>
> Isn't that just obfuscation?  I thought the ability to change
> permissions was granted by the Full Control right.  If that's
> the case, pull Creator/Owner Full control from your file
> system and reassign permissions accordingly.
>
>
> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin
> mailto:kz2...@googlemail.com>> wrote:
>
> Prevent access to the rshx32.dll file on all your
> workstations and servers to Administrators and System
> only. You can do this with a GPO. The user can't access
> the security tab then and can't change permissions. Unless
> they know how to use cacls. You could lock the permissions
> on that file as well through Group Policy.
>
> 2010/1/13 Terri Esham  <mailto:terri.es...@noaa.gov>>
>
> We have a Windows 2008 Domain whereby we control
> access to folders
> stored on one of the domain controllers through Active
> Directory
> groups.  When a new folder is created on the network
> file server, we
> grant full permissions to the associated active
> directory group with the
> exception of the ability to set and change permissions.
>
> We just discovered that a user can grant permissions
> to any folder that
> they create under the primary folder because they are
> the folder
> owner.   Obviously, I can change ownership to the
> domain admin, but how
> in the world would I keep up with this.  I've no idea
> when a user might
> create a sub folder.  I stumbled upon the problem
> because I found a
> folder whereby a user had granted the everyone group
> full rights.  I
> knew none of the domain admins would do that.  After
> talking with the
> owner of the folder, I found out he's been doing it
> all along.
>
> Wow!  This is a real problem for us because we want to
> control access
> through groups.  This one user had shared a bunch of
> folders using
> individual names.  Plus, he had no clue what he was
> doing and just
> granted everyone full rights.
>
> How in the world do you guys handle this?  Am I
> missing something?
>
> Thanks, Terri
>
> ~ Finally, powerful endpoint security that ISN'T a
> resource hog! ~
> ~
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>
>  ~
>
>
>
>
> -- 
> "On two occasions...I have been asked, 'Pray, Mr Babbage,
> if you put into the machine wrong figures, will the right
> answers come out?' I am not able rightly to apprehend the
> kind of confusion of ideas that could provoke such a
> question."
>
>  
>
>  
>
>
>
>  
>
>  
>

RE: Users Setting NTFS Permissions

[James Winzenz]

This is what we do - we remove Creator/Owner when the server is set up, don't 
have to worry about it after that.

Thanks,
 
James Winzenz



 


Date: Wed, 13 Jan 2010 08:41:33 -0500
Subject: Re: Users Setting NTFS Permissions
From: jonathan.l...@gmail.com
To: ntsysadmin@lyris.sunbelt-software.com

That's because the parent folder has creator/owner permissions and any newly 
created folder is inheriting the permission from the parent..  In my FS where 
I've removed creator/owner from the parentI don't see this behavior.


On Wed, Jan 13, 2010 at 8:20 AM, James Rankin  wrote:

I normally just give the groups RWXD, but the Creator Owner privilege appears 
by default on newly created folders. Without removing the ability to create 
folders and/or run subinacl scripts to take ownership, I find removing the GUI 
to change the permissions is the easiest option.


2010/1/13 Jonathan Link  




Isn't that just obfuscation?  I thought the ability to change permissions was 
granted by the Full Control right.  If that's the case, pull Creator/Owner Full 
control from your file system and reassign permissions accordingly. 





On Wed, Jan 13, 2010 at 7:11 AM, James Rankin  wrote:

Prevent access to the rshx32.dll file on all your workstations and servers to 
Administrators and System only. You can do this with a GPO. The user can't 
access the security tab then and can't change permissions. Unless they know how 
to use cacls. You could lock the permissions on that file as well through Group 
Policy.


2010/1/13 Terri Esham  




We have a Windows 2008 Domain whereby we control access to folders
stored on one of the domain controllers through Active Directory
groups.  When a new folder is created on the network file server, we
grant full permissions to the associated active directory group with the
exception of the ability to set and change permissions.

We just discovered that a user can grant permissions to any folder that
they create under the primary folder because they are the folder
owner.   Obviously, I can change ownership to the domain admin, but how
in the world would I keep up with this.  I've no idea when a user might
create a sub folder.  I stumbled upon the problem because I found a
folder whereby a user had granted the everyone group full rights.  I
knew none of the domain admins would do that.  After talking with the
owner of the folder, I found out he's been doing it all along.

Wow!  This is a real problem for us because we want to control access
through groups.  This one user had shared a bunch of folders using
individual names.  Plus, he had no clue what he was doing and just
granted everyone full rights.

How in the world do you guys handle this?  Am I missing something?

Thanks, Terri

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."


 


 



 


 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the 
machine wrong figures, will the right answers come out?' I am not able rightly 
to apprehend the kind of confusion of ideas that could provoke such a question."


 

 





 

 

  
_
Hotmail: Trusted email with powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390707/direct/01/
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Users Setting NTFS Permissions

[James Rankin]

After testing, I concur. I'd removed Creator Owner myself from the higher
folders but didn't know that it was "inherited" - i thought Windows just
bunged it on any new folder as a default permission.

I stand corrected :-)

2010/1/13 Jonathan Link 

> That's because the parent folder has creator/owner permissions and any
> newly created folder is inheriting the permission from the parent..  In my
> FS where I've removed creator/owner from the parentI don't see this
> behavior.
>
>
> On Wed, Jan 13, 2010 at 8:20 AM, James Rankin wrote:
>
>> I normally just give the groups RWXD, but the Creator Owner privilege
>> appears by default on newly created folders. Without removing the ability to
>> create folders and/or run subinacl scripts to take ownership, I find
>> removing the GUI to change the permissions is the easiest option.
>>
>> 2010/1/13 Jonathan Link 
>>
>> Isn't that just obfuscation?  I thought the ability to change permissions
>>> was granted by the Full Control right.  If that's the case, pull
>>> Creator/Owner Full control from your file system and reassign permissions
>>> accordingly.
>>>
>>>
>>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>>
 Prevent access to the rshx32.dll file on all your workstations and
 servers to Administrators and System only. You can do this with a GPO. The
 user can't access the security tab then and can't change permissions. 
 Unless
 they know how to use cacls. You could lock the permissions on that file as
 well through Group Policy.

 2010/1/13 Terri Esham 

 We have a Windows 2008 Domain whereby we control access to folders
> stored on one of the domain controllers through Active Directory
> groups.  When a new folder is created on the network file server, we
> grant full permissions to the associated active directory group with
> the
> exception of the ability to set and change permissions.
>
> We just discovered that a user can grant permissions to any folder that
> they create under the primary folder because they are the folder
> owner.   Obviously, I can change ownership to the domain admin, but how
> in the world would I keep up with this.  I've no idea when a user might
> create a sub folder.  I stumbled upon the problem because I found a
> folder whereby a user had granted the everyone group full rights.  I
> knew none of the domain admins would do that.  After talking with the
> owner of the folder, I found out he's been doing it all along.
>
> Wow!  This is a real problem for us because we want to control access
> through groups.  This one user had shared a bunch of folders using
> individual names.  Plus, he had no clue what he was doing and just
> granted everyone full rights.
>
> How in the world do you guys handle this?  Am I missing something?
>
> Thanks, Terri
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>



 --
 "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
 into the machine wrong figures, will the right answers come out?' I am not
 able rightly to apprehend the kind of confusion of ideas that could provoke
 such a question."






>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>> the machine wrong figures, will the right answers come out?' I am not able
>> rightly to apprehend the kind of confusion of ideas that could provoke such
>> a question."
>>
>>
>>
>>
>>
>>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[Jonathan Link]

That's because the parent folder has creator/owner permissions and any newly
created folder is inheriting the permission from the parent..  In my FS
where I've removed creator/owner from the parentI don't see this behavior.

On Wed, Jan 13, 2010 at 8:20 AM, James Rankin  wrote:

> I normally just give the groups RWXD, but the Creator Owner privilege
> appears by default on newly created folders. Without removing the ability to
> create folders and/or run subinacl scripts to take ownership, I find
> removing the GUI to change the permissions is the easiest option.
>
> 2010/1/13 Jonathan Link 
>
> Isn't that just obfuscation?  I thought the ability to change permissions
>> was granted by the Full Control right.  If that's the case, pull
>> Creator/Owner Full control from your file system and reassign permissions
>> accordingly.
>>
>>
>> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>>
>>> Prevent access to the rshx32.dll file on all your workstations and
>>> servers to Administrators and System only. You can do this with a GPO. The
>>> user can't access the security tab then and can't change permissions. Unless
>>> they know how to use cacls. You could lock the permissions on that file as
>>> well through Group Policy.
>>>
>>> 2010/1/13 Terri Esham 
>>>
>>> We have a Windows 2008 Domain whereby we control access to folders
 stored on one of the domain controllers through Active Directory
 groups.  When a new folder is created on the network file server, we
 grant full permissions to the associated active directory group with the
 exception of the ability to set and change permissions.

 We just discovered that a user can grant permissions to any folder that
 they create under the primary folder because they are the folder
 owner.   Obviously, I can change ownership to the domain admin, but how
 in the world would I keep up with this.  I've no idea when a user might
 create a sub folder.  I stumbled upon the problem because I found a
 folder whereby a user had granted the everyone group full rights.  I
 knew none of the domain admins would do that.  After talking with the
 owner of the folder, I found out he's been doing it all along.

 Wow!  This is a real problem for us because we want to control access
 through groups.  This one user had shared a bunch of folders using
 individual names.  Plus, he had no clue what he was doing and just
 granted everyone full rights.

 How in the world do you guys handle this?  Am I missing something?

 Thanks, Terri

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~   ~

>>>
>>>
>>>
>>> --
>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>>> the machine wrong figures, will the right answers come out?' I am not able
>>> rightly to apprehend the kind of confusion of ideas that could provoke such
>>> a question."
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[James Rankin]

I normally just give the groups RWXD, but the Creator Owner privilege
appears by default on newly created folders. Without removing the ability to
create folders and/or run subinacl scripts to take ownership, I find
removing the GUI to change the permissions is the easiest option.

2010/1/13 Jonathan Link 

> Isn't that just obfuscation?  I thought the ability to change permissions
> was granted by the Full Control right.  If that's the case, pull
> Creator/Owner Full control from your file system and reassign permissions
> accordingly.
>
>
> On Wed, Jan 13, 2010 at 7:11 AM, James Rankin wrote:
>
>> Prevent access to the rshx32.dll file on all your workstations and servers
>> to Administrators and System only. You can do this with a GPO. The user
>> can't access the security tab then and can't change permissions. Unless they
>> know how to use cacls. You could lock the permissions on that file as well
>> through Group Policy.
>>
>> 2010/1/13 Terri Esham 
>>
>> We have a Windows 2008 Domain whereby we control access to folders
>>> stored on one of the domain controllers through Active Directory
>>> groups.  When a new folder is created on the network file server, we
>>> grant full permissions to the associated active directory group with the
>>> exception of the ability to set and change permissions.
>>>
>>> We just discovered that a user can grant permissions to any folder that
>>> they create under the primary folder because they are the folder
>>> owner.   Obviously, I can change ownership to the domain admin, but how
>>> in the world would I keep up with this.  I've no idea when a user might
>>> create a sub folder.  I stumbled upon the problem because I found a
>>> folder whereby a user had granted the everyone group full rights.  I
>>> knew none of the domain admins would do that.  After talking with the
>>> owner of the folder, I found out he's been doing it all along.
>>>
>>> Wow!  This is a real problem for us because we want to control access
>>> through groups.  This one user had shared a bunch of folders using
>>> individual names.  Plus, he had no clue what he was doing and just
>>> granted everyone full rights.
>>>
>>> How in the world do you guys handle this?  Am I missing something?
>>>
>>> Thanks, Terri
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>
>>
>>
>> --
>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>> the machine wrong figures, will the right answers come out?' I am not able
>> rightly to apprehend the kind of confusion of ideas that could provoke such
>> a question."
>>
>>
>>
>>
>>
>>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[Jonathan Link]

Isn't that just obfuscation?  I thought the ability to change permissions
was granted by the Full Control right.  If that's the case, pull
Creator/Owner Full control from your file system and reassign permissions
accordingly.

On Wed, Jan 13, 2010 at 7:11 AM, James Rankin  wrote:

> Prevent access to the rshx32.dll file on all your workstations and servers
> to Administrators and System only. You can do this with a GPO. The user
> can't access the security tab then and can't change permissions. Unless they
> know how to use cacls. You could lock the permissions on that file as well
> through Group Policy.
>
> 2010/1/13 Terri Esham 
>
> We have a Windows 2008 Domain whereby we control access to folders
>> stored on one of the domain controllers through Active Directory
>> groups.  When a new folder is created on the network file server, we
>> grant full permissions to the associated active directory group with the
>> exception of the ability to set and change permissions.
>>
>> We just discovered that a user can grant permissions to any folder that
>> they create under the primary folder because they are the folder
>> owner.   Obviously, I can change ownership to the domain admin, but how
>> in the world would I keep up with this.  I've no idea when a user might
>> create a sub folder.  I stumbled upon the problem because I found a
>> folder whereby a user had granted the everyone group full rights.  I
>> knew none of the domain admins would do that.  After talking with the
>> owner of the folder, I found out he's been doing it all along.
>>
>> Wow!  This is a real problem for us because we want to control access
>> through groups.  This one user had shared a bunch of folders using
>> individual names.  Plus, he had no clue what he was doing and just
>> granted everyone full rights.
>>
>> How in the world do you guys handle this?  Am I missing something?
>>
>> Thanks, Terri
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Users Setting NTFS Permissions

[James Rankin]

Prevent access to the rshx32.dll file on all your workstations and servers
to Administrators and System only. You can do this with a GPO. The user
can't access the security tab then and can't change permissions. Unless they
know how to use cacls. You could lock the permissions on that file as well
through Group Policy.

2010/1/13 Terri Esham 

> We have a Windows 2008 Domain whereby we control access to folders
> stored on one of the domain controllers through Active Directory
> groups.  When a new folder is created on the network file server, we
> grant full permissions to the associated active directory group with the
> exception of the ability to set and change permissions.
>
> We just discovered that a user can grant permissions to any folder that
> they create under the primary folder because they are the folder
> owner.   Obviously, I can change ownership to the domain admin, but how
> in the world would I keep up with this.  I've no idea when a user might
> create a sub folder.  I stumbled upon the problem because I found a
> folder whereby a user had granted the everyone group full rights.  I
> knew none of the domain admins would do that.  After talking with the
> owner of the folder, I found out he's been doing it all along.
>
> Wow!  This is a real problem for us because we want to control access
> through groups.  This one user had shared a bunch of folders using
> individual names.  Plus, he had no clue what he was doing and just
> granted everyone full rights.
>
> How in the world do you guys handle this?  Am I missing something?
>
> Thanks, Terri
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Users Setting NTFS Permissions

[Terri Esham]

We have a Windows 2008 Domain whereby we control access to folders
stored on one of the domain controllers through Active Directory
groups.  When a new folder is created on the network file server, we
grant full permissions to the associated active directory group with the
exception of the ability to set and change permissions. 

We just discovered that a user can grant permissions to any folder that
they create under the primary folder because they are the folder
owner.   Obviously, I can change ownership to the domain admin, but how
in the world would I keep up with this.  I've no idea when a user might
create a sub folder.  I stumbled upon the problem because I found a
folder whereby a user had granted the everyone group full rights.  I
knew none of the domain admins would do that.  After talking with the
owner of the folder, I found out he's been doing it all along.

Wow!  This is a real problem for us because we want to control access
through groups.  This one user had shared a bunch of folders using
individual names.  Plus, he had no clue what he was doing and just
granted everyone full rights.

How in the world do you guys handle this?  Am I missing something?

Thanks, Terri

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NTFS permissions issue

[Hilderbrand, Doug]

Make a batch file using xcacls.exe from the Microsoft resource kit. It dates 
back to NT4 days, but still works great. 




-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Monday, October 12, 2009 11:00 AM
To: NT System Admin Issues
Subject: Re: NTFS permissions issue

On Mon, Oct 12, 2009 at 10:29, Ben Scott  wrote:
> On Mon, Oct 12, 2009 at 1:16 PM, jesse-r...@wi.rr.com 
>  wrote:
>> Is there ANYWAY I can setup the subfolders so that when I create new 
>> department folders, I can copy another folder's subfolders into the 
>> newly created folder, and NOT have the subfolder's copied permissions 
>> get overwritten by the folder inheritence of the newly created 
>> departmental folder?
>
>  "ROBOCOPY /COPYALL" will copy permissions to the target.

That'll work, but if the two departments need the permissions to be in the same 
style but with different groups, that's not the way to fly.

For instance, if directory1 needs permissions for managers and staff of 
department1, but directory2 needs permissions for managers and staff of 
department2, robocopy won't do the trick.

Fileacl and others will allow you to export the permissions from old directory, 
search/replace for directories and groups, then apply the massaged permissions 
to the new directory.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


We value your opinion!  How may we serve you better? 
Please click the survey link to tell us how we are doing:
http://www.craneae.com/ContactUs/VoiceofCustomer.aspx
Your feedback is of the utmost importance to us. Thank you for your time.

Crane Aerospace & Electronics Confidentiality Statement:
The information contained in this email message may be privileged and is 
confidential information intended only for the use of the recipient, or any 
employee or agent responsible to deliver it to the intended recipient. Any 
unauthorized use, distribution or copying of this information is strictly 
prohibited 
and may be unlawful. If you have received this communication in error, please 
notify 
the sender immediately and destroy the original message and all attachments 
from 
your electronic files.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: NTFS permissions issue

[Kurt Buff]

On Mon, Oct 12, 2009 at 10:29, Ben Scott  wrote:
> On Mon, Oct 12, 2009 at 1:16 PM, jesse-r...@wi.rr.com
>  wrote:
>> Is there ANYWAY I can setup the subfolders so that when
>> I create new department folders, I can copy another folder's
>> subfolders into the newly created folder, and NOT have the
>> subfolder's copied permissions get overwritten by the folder
>> inheritence of the newly created departmental folder?
>
>  "ROBOCOPY /COPYALL" will copy permissions to the target.

That'll work, but if the two departments need the permissions to be in
the same style but with different groups, that's not the way to fly.

For instance, if directory1 needs permissions for managers and staff
of department1, but directory2 needs permissions for managers and
staff of department2, robocopy won't do the trick.

Fileacl and others will allow you to export the permissions from old
directory, search/replace for directories and groups, then apply the
massaged permissions to the new directory.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NTFS permissions issue

[Maglinger, Paul]

Never tried it, but would robocopy do the job? 

-Original Message-
From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] 
Sent: Monday, October 12, 2009 12:20 PM
To: NT System Admin Issues
Subject: RE: NTFS permissions issue


PS - I even tried setting the permissions on the department folders to
FOLDER ONLY permissions (for applys onto), and the permissions from the
department folder were STILL pushed down to the subfolders underneath it
when I copied the subfolder1 and subfolder2 over (removing the original
permissions of those 2 folders).



Original Message:
-
From: jesse-r...@wi.rr.com jesse-r...@wi.rr.com
Date: Mon, 12 Oct 2009 13:16:19 -0400
To: ntsysadmin@lyris.sunbelt-software.com
Subject: NTFS permissions issue



trying to figure out a way to accomplish this...

I have a folder structure as follows

-department1
--subfolder1
--subfolder2

-department2
--subfolder1
--subfolder2

.etc

The permissions on the subfolders are very specific and they take make
awhile to set up.  Each time I create a new department folder (and there
are TONS of them) I create the 2 subfolders underneath it and have to
manually set the permissions on them (which is a pain).  Is there ANYWAY
I
can setup the subfolders so that when I create new department folders, I
can copy another folder's subfolders into the newly created folder, and
NOT
have the subfolder's copied permissions get overwritten by the folder
inheritence of the newly created departmental folder?   (copying folders
ALWAYS inherits the permissions of the parent folder they are copied
to...
and I do NOT have the option to "move" the folder either).

If I didn't explain this well, please let me know.
J





mail2web.com - What can On Demand Business Solutions do for you?
http://link.mail2web.com/Business/SharePoint



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



mail2web LIVE - Free email based on Microsoft(r) Exchange technology -
http://link.mail2web.com/LIVE



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: NTFS permissions issue

[Ben Scott]

On Mon, Oct 12, 2009 at 1:16 PM, jesse-r...@wi.rr.com
 wrote:
> Is there ANYWAY I can setup the subfolders so that when
> I create new department folders, I can copy another folder's
> subfolders into the newly created folder, and NOT have the
> subfolder's copied permissions get overwritten by the folder
> inheritence of the newly created departmental folder?

  "ROBOCOPY /COPYALL" will copy permissions to the target.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: NTFS permissions issue

[Kurt Buff]

There are several tools that can export permissions on an existing
directory structure into a text format.

You can then edit that file, and apply it to the new director[y|ies].

My favorite is fileacl.exe, but there are others.

Kurt

On Mon, Oct 12, 2009 at 10:19, jesse-r...@wi.rr.com
 wrote:
>
> PS - I even tried setting the permissions on the department folders to
> FOLDER ONLY permissions (for applys onto), and the permissions from the
> department folder were STILL pushed down to the subfolders underneath it
> when I copied the subfolder1 and subfolder2 over (removing the original
> permissions of those 2 folders).
>
>
>
> Original Message:
> -
> From: jesse-r...@wi.rr.com jesse-r...@wi.rr.com
> Date: Mon, 12 Oct 2009 13:16:19 -0400
> To: ntsysadmin@lyris.sunbelt-software.com
> Subject: NTFS permissions issue
>
>
>
> trying to figure out a way to accomplish this...
>
> I have a folder structure as follows
>
> -department1
> --subfolder1
> --subfolder2
>
> -department2
> --subfolder1
> --subfolder2
>
> .etc
>
> The permissions on the subfolders are very specific and they take make
> awhile to set up.  Each time I create a new department folder (and there
> are TONS of them) I create the 2 subfolders underneath it and have to
> manually set the permissions on them (which is a pain).  Is there ANYWAY I
> can setup the subfolders so that when I create new department folders, I
> can copy another folder's subfolders into the newly created folder, and NOT
> have the subfolder's copied permissions get overwritten by the folder
> inheritence of the newly created departmental folder?   (copying folders
> ALWAYS inherits the permissions of the parent folder they are copied to...
> and I do NOT have the option to "move" the folder either).
>
> If I didn't explain this well, please let me know.
> J
>
>
>
>
> 
> mail2web.com – What can On Demand Business Solutions do for you?
> http://link.mail2web.com/Business/SharePoint
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> 
> mail2web LIVE – Free email based on Microsoft® Exchange technology -
> http://link.mail2web.com/LIVE
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: NTFS permissions issue

[Kennedy, Jim]

Set up one set of empty dummy folders with the perms you need, somewhere else 
outside this folder setup. Rename them to the new department as you need them 
and robocopy them to the real destination. Rinse, Lather, Repeat for each 
department.



-Original Message-
From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] 
Sent: Monday, October 12, 2009 1:20 PM
To: NT System Admin Issues
Subject: RE: NTFS permissions issue


PS - I even tried setting the permissions on the department folders to
FOLDER ONLY permissions (for applys onto), and the permissions from the
department folder were STILL pushed down to the subfolders underneath it
when I copied the subfolder1 and subfolder2 over (removing the original
permissions of those 2 folders).



Original Message:
-
From: jesse-r...@wi.rr.com jesse-r...@wi.rr.com
Date: Mon, 12 Oct 2009 13:16:19 -0400
To: ntsysadmin@lyris.sunbelt-software.com
Subject: NTFS permissions issue



trying to figure out a way to accomplish this...

I have a folder structure as follows

-department1
--subfolder1
--subfolder2

-department2
--subfolder1
--subfolder2

.etc

The permissions on the subfolders are very specific and they take make
awhile to set up.  Each time I create a new department folder (and there
are TONS of them) I create the 2 subfolders underneath it and have to
manually set the permissions on them (which is a pain).  Is there ANYWAY I
can setup the subfolders so that when I create new department folders, I
can copy another folder's subfolders into the newly created folder, and NOT
have the subfolder's copied permissions get overwritten by the folder
inheritence of the newly created departmental folder?   (copying folders
ALWAYS inherits the permissions of the parent folder they are copied to...
and I do NOT have the option to "move" the folder either).

If I didn't explain this well, please let me know.
J





mail2web.com - What can On Demand Business Solutions do for you?
http://link.mail2web.com/Business/SharePoint



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



mail2web LIVE - Free email based on Microsoft(r) Exchange technology -
http://link.mail2web.com/LIVE



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: NTFS permissions issue

[jesse-r...@wi.rr.com]

PS - I even tried setting the permissions on the department folders to
FOLDER ONLY permissions (for applys onto), and the permissions from the
department folder were STILL pushed down to the subfolders underneath it
when I copied the subfolder1 and subfolder2 over (removing the original
permissions of those 2 folders).



Original Message:
-
From: jesse-r...@wi.rr.com jesse-r...@wi.rr.com
Date: Mon, 12 Oct 2009 13:16:19 -0400
To: ntsysadmin@lyris.sunbelt-software.com
Subject: NTFS permissions issue



trying to figure out a way to accomplish this...

I have a folder structure as follows

-department1
--subfolder1
--subfolder2

-department2
--subfolder1
--subfolder2

.etc

The permissions on the subfolders are very specific and they take make
awhile to set up.  Each time I create a new department folder (and there
are TONS of them) I create the 2 subfolders underneath it and have to
manually set the permissions on them (which is a pain).  Is there ANYWAY I
can setup the subfolders so that when I create new department folders, I
can copy another folder's subfolders into the newly created folder, and NOT
have the subfolder's copied permissions get overwritten by the folder
inheritence of the newly created departmental folder?   (copying folders
ALWAYS inherits the permissions of the parent folder they are copied to...
and I do NOT have the option to "move" the folder either).

If I didn't explain this well, please let me know.
J





mail2web.com – What can On Demand Business Solutions do for you?
http://link.mail2web.com/Business/SharePoint



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



mail2web LIVE – Free email based on Microsoft® Exchange technology -
http://link.mail2web.com/LIVE



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

NTFS permissions issue

[jesse-r...@wi.rr.com]

trying to figure out a way to accomplish this...

I have a folder structure as follows

-department1
--subfolder1
--subfolder2

-department2
--subfolder1
--subfolder2

.etc

The permissions on the subfolders are very specific and they take make
awhile to set up.  Each time I create a new department folder (and there
are TONS of them) I create the 2 subfolders underneath it and have to
manually set the permissions on them (which is a pain).  Is there ANYWAY I
can setup the subfolders so that when I create new department folders, I
can copy another folder's subfolders into the newly created folder, and NOT
have the subfolder's copied permissions get overwritten by the folder
inheritence of the newly created departmental folder?   (copying folders
ALWAYS inherits the permissions of the parent folder they are copied to...
and I do NOT have the option to "move" the folder either).

If I didn't explain this well, please let me know.
J





mail2web.com – What can On Demand Business Solutions do for you?
http://link.mail2web.com/Business/SharePoint



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Klint Price]

Some of us still have entry level tech's.  I would rather make it harder to get 
it to work, than have a "oops, everyone now has full rights to the CEO's 
personal folder".  On the rare occasion that a tech goofs on permissions, they 
have to goof twice if using shares.

-Original Message-
From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Friday, September 04, 2009 12:47 AM
To: NT System Admin Issues
Subject: Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk 
to Another

Whoa! Someone uses share permissions?

I thought share permissions were just a hangover from the Win9x days
(or when people installed NT4 with FAT32 file system instead of NTFS)
to provide some security for those systems that couldn't do it on a
file level.

I'd use this opportunity to knock the share permissions on the head
and drop them to Everyone:Full Control. They generally end up as the
reason you can't work out why someone can't access a file.

2009/9/3 Terri Esham :
> What is the best free tool to copy share and NTFS permissions from one
> SAN disk to another.  I have already tried Robocopy and it did copy the
> NTFS permission but not the Share permissions.  I need to move a large
> amount of folders from one SAN disk to another and I don't want to have
> to recreate all the shares.
>
> The file server is running Windows 2008 Standard Server, SP2, all
> critical updates installed.
>
> Any help will be greatly appreciated.
>
> Thanks, Terri
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that
could provoke such a question."

http://raythestray.blogspot.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Andrew S. Baker]

I setup a share for the Temp folder on my 2008 system and it only gave me
Administrator:F

I did a couple others just now, and they behaved as 2003 does, and as your
example shows below.

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Sep 8, 2009 at 11:21 AM, Ken Schaefer  wrote:

> ?
>
>
>
>
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Tuesday, 8 September 2009 10:00 PM
> *To:* NT System Admin Issues
> *Subject:* Re: Free Utility to Copy Share and NTFS Permissions from One
> SAN Disk to Another
>
>
>
> By default, 2008 shares them as Administrator:F and nothing else.  :)
>
> -*ASB*: http://xeesm.com/AndrewBaker
>  Providing Competitive Advantage through Effective IT Leadership
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<>

RE: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Ken Schaefer]

Fair enough. But unless you enable the Guest account (or are worried it may be 
enabled), you aren't achieving anything AFAIK, except causing work for yourself.

Cheers
Ken

-Original Message-
From: Michael Leone [mailto:oozerd...@gmail.com] 
Sent: Tuesday, 8 September 2009 11:32 PM
To: NT System Admin Issues
Subject: Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk 
to Another

On Tue, Sep 8, 2009 at 12:47 AM, Ken Schaefer wrote:
> Win2k3 shares folders as Everyone: R

We always change that to AUTHENTICATED USERS, rather than EVERYONE.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[James Rankin]

I think it's been mentioned before that in Windows 2003, there is little or
no difference between Authenticated Users and Everyone nowcan't remember
the exact technical details offhand though :-(

2009/9/8 Michael Leone 

> On Tue, Sep 8, 2009 at 12:47 AM, Ken Schaefer wrote:
> > Win2k3 shares folders as Everyone: R
>
> We always change that to AUTHENTICATED USERS, rather than EVERYONE.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

http://raythestray.blogspot.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Michael Leone]

On Tue, Sep 8, 2009 at 12:47 AM, Ken Schaefer wrote:
> Win2k3 shares folders as Everyone: R

We always change that to AUTHENTICATED USERS, rather than EVERYONE.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Ken Schaefer]

?

[cid:image001.jpg@01CA30DB.0C36A7C0]

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, 8 September 2009 10:00 PM
To: NT System Admin Issues
Subject: Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk 
to Another

By default, 2008 shares them as Administrator:F and nothing else.  :)

-ASB: http://xeesm.com/AndrewBaker
 Providing Competitive Advantage through Effective IT Leadership




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<>

Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Andrew S. Baker]

By default, 2008 shares them as Administrator:F and nothing else.  :)

-*ASB*: http://xeesm.com/AndrewBaker
 Providing Competitive Advantage through Effective IT Leadership


On Tue, Sep 8, 2009 at 12:47 AM, Ken Schaefer  wrote:

> Win2k3 shares folders as Everyone: R
>
> Doesn't Win2k8 do the same?
>
> Cheers
> Ken
>
> -Original Message-
> From: Steven M. Caesare [mailto:scaes...@caesare.com]
> Sent: Friday, 4 September 2009 9:19 PM
> To: NT System Admin Issues
> Subject: RE: Free Utility to Copy Share and NTFS Permissions from One SAN
> Disk to Another
>
> Which reminds me: the default closed share perms on new shares in Win2K8
> are annoying.
>
> -sc
>
> > -Original Message-
> > From: James Rankin [mailto:kz2...@googlemail.com]
> > Sent: Friday, September 04, 2009 3:47 AM
> > To: NT System Admin Issues
> > Subject: Re: Free Utility to Copy Share and NTFS Permissions from One
> > SAN Disk to Another
> >
> > Whoa! Someone uses share permissions?
> >
> > I thought share permissions were just a hangover from the Win9x days
> > (or when people installed NT4 with FAT32 file system instead of NTFS)
> > to provide some security for those systems that couldn't do it on a
> > file level.
> >
> > I'd use this opportunity to knock the share permissions on the head
> > and drop them to Everyone:Full Control. They generally end up as the
> > reason you can't work out why someone can't access a file.
> >
> > 2009/9/3 Terri Esham :
> > > What is the best free tool to copy share and NTFS permissions from
> > one
> > > SAN disk to another.  I have already tried Robocopy and it did copy
> > the
> > > NTFS permission but not the Share permissions.  I need to move a
> > large
> > > amount of folders from one SAN disk to another and I don't want to
> > have
> > > to recreate all the shares.
> > >
> > > The file server is running Windows 2008 Standard Server, SP2, all
> > > critical updates installed.
> > >
> > > Any help will be greatly appreciated.
> > >
> > > Thanks, Terri
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Andrew S. Baker]

I personally prefer it.   I like it since 2003 made the default for everyone
READ rather than FULL

I'll go against the conventional wisdom and say that I like the additional
layers offered by having the option for both SHARE and FILE perms.

-*ASB*: http://xeesm.com/AndrewBaker
 Providing Competitive Advantage through Effective IT Leadership



On Fri, Sep 4, 2009 at 9:19 AM, Steven M. Caesare wrote:

> Which reminds me: the default closed share perms on new shares in Win2K8
> are annoying.
>
> -sc
>
> > -Original Message-
> > From: James Rankin [mailto:kz2...@googlemail.com]
> > Sent: Friday, September 04, 2009 3:47 AM
> > To: NT System Admin Issues
> > Subject: Re: Free Utility to Copy Share and NTFS Permissions from One
> > SAN Disk to Another
> >
> > Whoa! Someone uses share permissions?
> >
> > I thought share permissions were just a hangover from the Win9x days
> > (or when people installed NT4 with FAT32 file system instead of NTFS)
> > to provide some security for those systems that couldn't do it on a
> > file level.
> >
> > I'd use this opportunity to knock the share permissions on the head
> > and drop them to Everyone:Full Control. They generally end up as the
> > reason you can't work out why someone can't access a file.
> >
> > 2009/9/3 Terri Esham :
> > > What is the best free tool to copy share and NTFS permissions from
> > one
> > > SAN disk to another.  I have already tried Robocopy and it did copy
> > the
> > > NTFS permission but not the Share permissions.  I need to move a
> > large
> > > amount of folders from one SAN disk to another and I don't want to
> > have
> > > to recreate all the shares.
> > >
> > > The file server is running Windows 2008 Standard Server, SP2, all
> > > critical updates installed.
> > >
> > > Any help will be greatly appreciated.
> > >
> > > Thanks, Terri
> > >
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Jon Harris]

I believe that is correct.  I agree I also agree to just set all permissions
to something similar to Everyone F, but I usually set them to domain users
full not everyone.

Jon

On Tue, Sep 8, 2009 at 12:47 AM, Ken Schaefer  wrote:

> Win2k3 shares folders as Everyone: R
>
> Doesn't Win2k8 do the same?
>
> Cheers
> Ken
>
> -Original Message-
> From: Steven M. Caesare [mailto:scaes...@caesare.com]
> Sent: Friday, 4 September 2009 9:19 PM
> To: NT System Admin Issues
>  Subject: RE: Free Utility to Copy Share and NTFS Permissions from One SAN
> Disk to Another
>
> Which reminds me: the default closed share perms on new shares in Win2K8
> are annoying.
>
> -sc
>
> > -Original Message-
> > From: James Rankin [mailto:kz2...@googlemail.com]
> > Sent: Friday, September 04, 2009 3:47 AM
> > To: NT System Admin Issues
> > Subject: Re: Free Utility to Copy Share and NTFS Permissions from One
> > SAN Disk to Another
> >
> > Whoa! Someone uses share permissions?
> >
> > I thought share permissions were just a hangover from the Win9x days
> > (or when people installed NT4 with FAT32 file system instead of NTFS)
> > to provide some security for those systems that couldn't do it on a
> > file level.
> >
> > I'd use this opportunity to knock the share permissions on the head
> > and drop them to Everyone:Full Control. They generally end up as the
> > reason you can't work out why someone can't access a file.
> >
> > 2009/9/3 Terri Esham :
> > > What is the best free tool to copy share and NTFS permissions from
> > one
> > > SAN disk to another.  I have already tried Robocopy and it did copy
> > the
> > > NTFS permission but not the Share permissions.  I need to move a
> > large
> > > amount of folders from one SAN disk to another and I don't want to
> > have
> > > to recreate all the shares.
> > >
> > > The file server is running Windows 2008 Standard Server, SP2, all
> > > critical updates installed.
> > >
> > > Any help will be greatly appreciated.
> > >
> > > Thanks, Terri
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Ken Schaefer]

Win2k3 shares folders as Everyone: R

Doesn't Win2k8 do the same? 

Cheers
Ken

-Original Message-
From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Friday, 4 September 2009 9:19 PM
To: NT System Admin Issues
Subject: RE: Free Utility to Copy Share and NTFS Permissions from One SAN Disk 
to Another

Which reminds me: the default closed share perms on new shares in Win2K8 are 
annoying.

-sc

> -Original Message-
> From: James Rankin [mailto:kz2...@googlemail.com]
> Sent: Friday, September 04, 2009 3:47 AM
> To: NT System Admin Issues
> Subject: Re: Free Utility to Copy Share and NTFS Permissions from One 
> SAN Disk to Another
> 
> Whoa! Someone uses share permissions?
> 
> I thought share permissions were just a hangover from the Win9x days 
> (or when people installed NT4 with FAT32 file system instead of NTFS) 
> to provide some security for those systems that couldn't do it on a 
> file level.
> 
> I'd use this opportunity to knock the share permissions on the head 
> and drop them to Everyone:Full Control. They generally end up as the 
> reason you can't work out why someone can't access a file.
> 
> 2009/9/3 Terri Esham :
> > What is the best free tool to copy share and NTFS permissions from
> one
> > SAN disk to another.  I have already tried Robocopy and it did copy
> the
> > NTFS permission but not the Share permissions.  I need to move a
> large
> > amount of folders from one SAN disk to another and I don't want to
> have
> > to recreate all the shares.
> >
> > The file server is running Windows 2008 Standard Server, SP2, all 
> > critical updates installed.
> >
> > Any help will be greatly appreciated.
> >
> > Thanks, Terri


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Free Utility to Copy Share and NTFS Permissions from One SAN Disk to Another

[Steven M. Caesare]

Which reminds me: the default closed share perms on new shares in Win2K8 are 
annoying.

-sc

> -Original Message-
> From: James Rankin [mailto:kz2...@googlemail.com]
> Sent: Friday, September 04, 2009 3:47 AM
> To: NT System Admin Issues
> Subject: Re: Free Utility to Copy Share and NTFS Permissions from One
> SAN Disk to Another
> 
> Whoa! Someone uses share permissions?
> 
> I thought share permissions were just a hangover from the Win9x days
> (or when people installed NT4 with FAT32 file system instead of NTFS)
> to provide some security for those systems that couldn't do it on a
> file level.
> 
> I'd use this opportunity to knock the share permissions on the head
> and drop them to Everyone:Full Control. They generally end up as the
> reason you can't work out why someone can't access a file.
> 
> 2009/9/3 Terri Esham :
> > What is the best free tool to copy share and NTFS permissions from
> one
> > SAN disk to another.  I have already tried Robocopy and it did copy
> the
> > NTFS permission but not the Share permissions.  I need to move a
> large
> > amount of folders from one SAN disk to another and I don't want to
> have
> > to recreate all the shares.
> >
> > The file server is running Windows 2008 Standard Server, SP2, all
> > critical updates installed.
> >
> > Any help will be greatly appreciated.
> >
> > Thanks, Terri
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> 
> 
> 
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
> into the machine wrong figures, will the right answers come out?' I am
> not able rightly to apprehend the kind of confusion of ideas that
> could provoke such a question."
> 
> http://raythestray.blogspot.com
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~