lpenrod
asked on
Security Question
UserA is a member of GroupA and GroupA is given all rights except Full Control to FolderA.
UserA creates a sub-folder in FolderA called SubFolderA.
UserA changes departments and is removed from GroupA.
My problem is that UserA still has Full Control (special) to SubFolderA because they are the creator/owner.
Is this right?
UserA creates a sub-folder in FolderA called SubFolderA.
UserA changes departments and is removed from GroupA.
My problem is that UserA still has Full Control (special) to SubFolderA because they are the creator/owner.
Is this right?
You can fix this on a schedule by running CACLS.exe and replacing the owner on certain folders with the Domain Admin group.
However, yes, this is expected.
However, yes, this is expected.
I thought I saw some MS tool or similar that would reclaim ownership of all files/folders on a server to the built-in administrator account of that server? Ehh...maybe I'm wrong...
ASKER
When I reclaim ownership, do they lose those rights?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
in domain system...
it will show owner as "user_ A" but it will lost full control (only few permision will remain) . full control goes to adminsrtive group
but problem is if you set Quota, it will count file capacity in folder_A for UserA.
Maheen
it will show owner as "user_ A" but it will lost full control (only few permision will remain) . full control goes to adminsrtive group
but problem is if you set Quota, it will count file capacity in folder_A for UserA.
Maheen
Above my comment I assumed permission not inherit to Folder_A from parent. And permission inherit to sub folder and file from Folder_A . And permission assign only for Aministratos and GroupA (other all user and group removed) . Check with effective permission it will show clearly. Domain or work group it will work.
Maheen
ASKER
I took ownership of every file and folder on the system. The users still have Special Full Control...
Thoughts?
Thoughts?
Is this checkbox greyed out?
ASKER
What box?
The original owner still shows up in the permissions list.
When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object". Yet if I look at the parent object, they are not in the list.
The original owner still shows up in the permissions list.
When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object". Yet if I look at the parent object, they are not in the list.
Is this how you took ownership of all the files:
To take ownership of a folder, follow these steps: 1. Right-click the folder that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of that folder, select the Replace owner on subcontainers and objects check box.
To take ownership of a folder, follow these steps: 1. Right-click the folder that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of that folder, select the Replace owner on subcontainers and objects check box.
Yes, and if you scroll down on the main security tab to the user the Special Permission checkbox should be grey.
Keep moving up the tree and checking to see where the account is. I find it weird that the direct parent shows no sign of the user, yet it states the child is inheriting it.
Is there a hidden folder above this one that you are not seeing?
Keep moving up the tree and checking to see where the account is. I find it weird that the direct parent shows no sign of the user, yet it states the child is inheriting it.
Is there a hidden folder above this one that you are not seeing?
ASKER
I have 3+ million files on this server. I can't one-by-one manually take ownership.
I used subinacl.exe to take ownership.
I used subinacl.exe to take ownership.
You don't have to one-by-one.
On the server, go to the drive that houses the share and then right click on that top folder and do the steps I said in my last comment to take full ownership on every file in that share (3 mil files will take some time)...
On the server, go to the drive that houses the share and then right click on that top folder and do the steps I said in my last comment to take full ownership on every file in that share (3 mil files will take some time)...
ASKER
I follow. Trying now.
ASKER
OK, I tried that on a folder and the original owner still shows up in the permissions list.
When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object". Yet if I look at the parent object, they are not in the list.
When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object". Yet if I look at the parent object, they are not in the list.
You'll need to go to the parent folder...heck if you have to just open the D drive or whatever on the server (not the share) and do it from there.
ASKER
I did it at the root of one of my smaller drives.
by right clicking the drive itself? you shouldn't even see any inherited permissions or even the checkbox for "inherit from parent" since it is the parent.
i think above my comment dificult to understand, ok ,could be because i explain briefly.
ok for testing use windows XP workstation with NTFS, and create GroupA , userA folderA -> sub folderA
userA member of groupA ( not any group or administrative group , but if you want to loin lacally with userA then add userA to power user group)
now i think folderA created on as c:\folderA , and folderA got all permision belong to "C" drive (folderA parent is "C"). next you have to stop inherit permision of folderA from its parent( "C" drive).
folderA -> properties -> security->Advanced->permis ion ->untick "inherit from parent.. -> in next window >click copy.
now permision inherit from will stoped.
next
folderA -> properties -> security , remove all user and groups except Administrator, Administrators. next add groupA permision (group A with full "full control " or modify" permision )
next log off login with userA locally
and creat subfolderA and and copy ( dont do Cut and paste) some file . now userA is the owner with full control for those files.
next logoff and login as adminstrator
go to folderA and its sub folders and check effective permisin (folder/file -> properties -> security->Advanced->Effect ive permision -> select userA and check its permision list. it will show as full control
next remove userA from groupA , next go to folderA and its sub folders and check permision ( os as above effective permision) you can see userA is owner but it dont have full control
effective permision show "read permision" and " change permision " to user A
waiting for your reply ..
maheen
ok for testing use windows XP workstation with NTFS, and create GroupA , userA folderA -> sub folderA
userA member of groupA ( not any group or administrative group , but if you want to loin lacally with userA then add userA to power user group)
now i think folderA created on as c:\folderA , and folderA got all permision belong to "C" drive (folderA parent is "C"). next you have to stop inherit permision of folderA from its parent( "C" drive).
folderA -> properties -> security->Advanced->permis
now permision inherit from will stoped.
next
folderA -> properties -> security , remove all user and groups except Administrator, Administrators. next add groupA permision (group A with full "full control " or modify" permision )
next log off login with userA locally
and creat subfolderA and and copy ( dont do Cut and paste) some file . now userA is the owner with full control for those files.
next logoff and login as adminstrator
go to folderA and its sub folders and check effective permisin (folder/file -> properties -> security->Advanced->Effect
next remove userA from groupA , next go to folderA and its sub folders and check permision ( os as above effective permision) you can see userA is owner but it dont have full control
effective permision show "read permision" and " change permision " to user A
waiting for your reply ..
maheen
I honestly don't know if you are going to be able to get around this unless you then take ownership as administrator on the folder/files in FolderA and it's inherited folders.
UserA may still be the "owner" of those files, but they won't be able to do anything with them, or even get to them since you've removed their permissions.
I thought if you left them at "Modify" rights then they wouldn't get full control of any file, including ones they create.
(I'll see if I can test your setup myself in a little while)
UserA may still be the "owner" of those files, but they won't be able to do anything with them, or even get to them since you've removed their permissions.
I thought if you left them at "Modify" rights then they wouldn't get full control of any file, including ones they create.
(I'll see if I can test your setup myself in a little while)
Good morning Cleaner,
and don't forget to check as my above configaration.
Maheen
and don't forget to check as my above configaration.
Maheen
ASKER
I ended up kicking "Creator Owner" from the Access Control List. That stopped users from gaining full control to anything they create.
Next I took ownership of every file and directory.
Next I chose to "Replace permission entried on all child objects with entries shown here that apply to child objects".
That got things cleaned up.
I didn't understand what "Creator Owner" was doing. By default it is assigned to any newly created drive.
Recomendations on assigning points?
Next I took ownership of every file and directory.
Next I chose to "Replace permission entried on all child objects with entries shown here that apply to child objects".
That got things cleaned up.
I didn't understand what "Creator Owner" was doing. By default it is assigned to any newly created drive.
Recomendations on assigning points?
ASKER
Oops, just noticed it was forced accept. Sorry.
Interesting that the accepted answer came after I had mentioned doing exactly what it appears you did in the end (or a manual variation).
Too bad I didn't notice this earlier.
Too bad I didn't notice this earlier.
Hi friends,
i dont warry about points...
dear vsg375 and CetusMOD can i refund Points.. ? i think points must go to Netman66
Regards,
Maheen
i dont warry about points...
dear vsg375 and CetusMOD can i refund Points.. ? i think points must go to Netman66
Regards,
Maheen
ASKER
Cool with me.
Do whatever you think is fair. I wasn't complaining - just making an observation.
i hate to say it