Link to home
Create AccountLog in
Avatar of lpenrod
lpenrod

asked on

Security Question

UserA is a member of GroupA and GroupA is given all rights except Full Control to FolderA.
UserA creates a sub-folder in FolderA called SubFolderA.

UserA changes departments and is removed from GroupA.

My problem is that UserA still has Full Control (special) to SubFolderA because they are the creator/owner.

Is this right?
Avatar of omegamueller
omegamueller
Flag of United States of America image

yes this is right
i hate to say it
Avatar of Netman66
You can fix this on a schedule by running CACLS.exe and replacing the owner on certain folders with the Domain Admin group.

However, yes, this is expected.


I thought I saw some MS tool or similar that would reclaim ownership of all files/folders on a server to the built-in administrator account of that server?  Ehh...maybe I'm wrong...
Avatar of lpenrod
lpenrod

ASKER

When I reclaim ownership, do they lose those rights?
ASKER CERTIFIED SOLUTION
Avatar of Netman66
Netman66
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
in domain system...

it will show owner as "user_ A"  but it will lost full control (only few permision will remain) .  full control goes to adminsrtive group

but problem is if  you set   Quota,   it will  count file capacity in  folder_A for UserA.

Maheen

Above  my comment I assumed  permission not inherit to Folder_A from parent. And permission inherit to sub folder and file from Folder_A . And  permission assign only for Aministratos and GroupA (other all user and group  removed) . Check with effective permission it will show clearly. Domain or work group it will work.

Maheen  
Avatar of lpenrod

ASKER

I took ownership of every file and folder on the system.  The users still have Special Full Control...

Thoughts?
Is this checkbox greyed out?
Avatar of lpenrod

ASKER

What box?

The original owner still shows up in the permissions list.

When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object".  Yet if I look at the parent object, they are not in the list.
Is this how you took ownership of all the files:

To take ownership of a folder, follow these steps: 1. Right-click the folder that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of that folder, select the Replace owner on subcontainers and objects check box.

Yes, and if you scroll down on the main security tab to the user the Special Permission checkbox should be grey.

Keep moving up the tree and checking to see where the account is.  I find it weird that the direct parent shows no sign of the user, yet it states the child is inheriting it.

Is there a hidden folder above this one that you are not seeing?

Avatar of lpenrod

ASKER

I have 3+ million files on this server.  I can't one-by-one manually take ownership.

I used subinacl.exe to take ownership.
You don't have to one-by-one.

On the server, go to the drive that houses the share and then right click on that top folder and do the steps I said in my last comment to take full ownership on every file in that share (3 mil files will take some time)...
Avatar of lpenrod

ASKER

I follow.  Trying now.
Avatar of lpenrod

ASKER

OK, I tried that on a folder and the original owner still shows up in the permissions list.

When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object".  Yet if I look at the parent object, they are not in the list.
You'll need to go to the parent folder...heck if you have to just open the D drive or whatever on the server (not the share) and do it from there.
Avatar of lpenrod

ASKER

I did it at the root of one of my smaller drives.
by right clicking the drive itself?  you shouldn't even see any inherited permissions or even the checkbox for "inherit from parent" since it is the parent.
i think above my comment dificult to understand, ok ,could be because i explain briefly.

ok for testing use windows XP  workstation with NTFS, and create GroupA  , userA  folderA -> sub folderA

userA member of groupA ( not any group or administrative group , but if you want to loin lacally with userA then add userA to power user group)

now i think folderA created on as c:\folderA , and folderA got all permision belong to "C" drive (folderA  parent is "C"). next you have to stop inherit permision of folderA from its parent( "C" drive).
folderA -> properties -> security->Advanced->permision ->untick "inherit from parent.. -> in next window >click copy.
now  permision inherit from will stoped.

next
folderA -> properties -> security , remove all user and groups except Administrator, Administrators. next add groupA permision  (group A with full "full control " or modify" permision )

next log off login with userA locally
and creat subfolderA and  and copy ( dont do Cut and paste)  some file . now userA is the owner with full control for those files.

next logoff and login  as adminstrator

go to folderA and its sub folders and check effective permisin (folder/file -> properties -> security->Advanced->Effective permision -> select userA and check its permision list. it will show as full control

next remove userA from groupA ,  next go to  folderA and its sub folders and check permision ( os as above effective permision) you can see userA is owner  but it dont have full control
effective permision show "read permision" and " change permision " to user A

waiting for your reply ..

maheen
I honestly don't know if you are going to be able to get around this unless you then take ownership as administrator on the folder/files in FolderA and it's inherited folders.

UserA may still be the "owner" of those files, but they won't be able to do anything with them, or even get to them since you've removed their permissions.

I thought if you left them at "Modify" rights then they wouldn't get full control of any file, including ones they create.

(I'll see if I can test your setup myself in a little while)
Good morning   Cleaner,

and don't forget to check as my above configaration.

Maheen
Avatar of lpenrod

ASKER

I ended up kicking "Creator Owner" from the Access Control List.  That stopped users from gaining full control to anything they create.

Next I took ownership of every file and directory.

Next I chose to "Replace permission entried on all child objects with entries shown here that apply to child objects".

That got things cleaned up.

I didn't understand what "Creator Owner" was doing.  By default it is assigned to any newly created drive.

Recomendations on assigning points?
Avatar of lpenrod

ASKER

Oops, just noticed it was forced accept.  Sorry.
Interesting that the accepted answer came after I had mentioned doing exactly what it appears you did in the end (or a manual variation).

Too bad I didn't notice this earlier.



Hi friends,

i dont warry about points...

dear   vsg375 and  CetusMOD   can i refund Points..  ?  i think points must go to Netman66

Regards,

 Maheen

Avatar of lpenrod

ASKER

Cool with me.
Do whatever you think is fair.  I wasn't complaining - just making an observation.