Security Question

UserA is a member of GroupA and GroupA is given all rights except Full Control to FolderA.
UserA creates a sub-folder in FolderA called SubFolderA.

UserA changes departments and is removed from GroupA.

My problem is that UserA still has Full Control (special) to SubFolderA because they are the creator/owner.

Is this right?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yes this is right
i hate to say it
You can fix this on a schedule by running CACLS.exe and replacing the owner on certain folders with the Domain Admin group.

However, yes, this is expected.

I thought I saw some MS tool or similar that would reclaim ownership of all files/folders on a server to the built-in administrator account of that server?  Ehh...maybe I'm wrong...
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

lpenrodAuthor Commented:
When I reclaim ownership, do they lose those rights?
If you assigned permissions based on Groups and they are removed from the Group(s) and ownership is transferred to the Administrator - then, yes they lose the access.

You should always be using local groups to assign permissions to resources, then adding in the appropriate Global Groups to give this access.  This way when a user is removed from a Global Group giving access, they automatically lose access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
in domain system...

it will show owner as "user_ A"  but it will lost full control (only few permision will remain) .  full control goes to adminsrtive group

but problem is if  you set   Quota,   it will  count file capacity in  folder_A for UserA.


Above  my comment I assumed  permission not inherit to Folder_A from parent. And permission inherit to sub folder and file from Folder_A . And  permission assign only for Aministratos and GroupA (other all user and group  removed) . Check with effective permission it will show clearly. Domain or work group it will work.

lpenrodAuthor Commented:
I took ownership of every file and folder on the system.  The users still have Special Full Control...

Is this checkbox greyed out?
lpenrodAuthor Commented:
What box?

The original owner still shows up in the permissions list.

When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object".  Yet if I look at the parent object, they are not in the list.
Is this how you took ownership of all the files:

To take ownership of a folder, follow these steps: 1. Right-click the folder that you want to take ownership of, and then click Properties.
2. Click the Security tab, and then click OK on the Security message (if one appears).
3. Click Advanced, and then click the Owner tab.
4. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of that folder, select the Replace owner on subcontainers and objects check box.

Yes, and if you scroll down on the main security tab to the user the Special Permission checkbox should be grey.

Keep moving up the tree and checking to see where the account is.  I find it weird that the direct parent shows no sign of the user, yet it states the child is inheriting it.

Is there a hidden folder above this one that you are not seeing?

lpenrodAuthor Commented:
I have 3+ million files on this server.  I can't one-by-one manually take ownership.

I used subinacl.exe to take ownership.
You don't have to one-by-one.

On the server, go to the drive that houses the share and then right click on that top folder and do the steps I said in my last comment to take full ownership on every file in that share (3 mil files will take some time)...
lpenrodAuthor Commented:
I follow.  Trying now.
lpenrodAuthor Commented:
OK, I tried that on a folder and the original owner still shows up in the permissions list.

When I click on the Advanced button and edit their permissions, it says "This permission is inherited from the parent object".  Yet if I look at the parent object, they are not in the list.
You'll need to go to the parent folder...heck if you have to just open the D drive or whatever on the server (not the share) and do it from there.
lpenrodAuthor Commented:
I did it at the root of one of my smaller drives.
by right clicking the drive itself?  you shouldn't even see any inherited permissions or even the checkbox for "inherit from parent" since it is the parent.
i think above my comment dificult to understand, ok ,could be because i explain briefly.

ok for testing use windows XP  workstation with NTFS, and create GroupA  , userA  folderA -> sub folderA

userA member of groupA ( not any group or administrative group , but if you want to loin lacally with userA then add userA to power user group)

now i think folderA created on as c:\folderA , and folderA got all permision belong to "C" drive (folderA  parent is "C"). next you have to stop inherit permision of folderA from its parent( "C" drive).
folderA -> properties -> security->Advanced->permision ->untick "inherit from parent.. -> in next window >click copy.
now  permision inherit from will stoped.

folderA -> properties -> security , remove all user and groups except Administrator, Administrators. next add groupA permision  (group A with full "full control " or modify" permision )

next log off login with userA locally
and creat subfolderA and  and copy ( dont do Cut and paste)  some file . now userA is the owner with full control for those files.

next logoff and login  as adminstrator

go to folderA and its sub folders and check effective permisin (folder/file -> properties -> security->Advanced->Effective permision -> select userA and check its permision list. it will show as full control

next remove userA from groupA ,  next go to  folderA and its sub folders and check permision ( os as above effective permision) you can see userA is owner  but it dont have full control
effective permision show "read permision" and " change permision " to user A

waiting for your reply ..

I honestly don't know if you are going to be able to get around this unless you then take ownership as administrator on the folder/files in FolderA and it's inherited folders.

UserA may still be the "owner" of those files, but they won't be able to do anything with them, or even get to them since you've removed their permissions.

I thought if you left them at "Modify" rights then they wouldn't get full control of any file, including ones they create.

(I'll see if I can test your setup myself in a little while)
Good morning   Cleaner,

and don't forget to check as my above configaration.

lpenrodAuthor Commented:
I ended up kicking "Creator Owner" from the Access Control List.  That stopped users from gaining full control to anything they create.

Next I took ownership of every file and directory.

Next I chose to "Replace permission entried on all child objects with entries shown here that apply to child objects".

That got things cleaned up.

I didn't understand what "Creator Owner" was doing.  By default it is assigned to any newly created drive.

Recomendations on assigning points?
lpenrodAuthor Commented:
Oops, just noticed it was forced accept.  Sorry.
Interesting that the accepted answer came after I had mentioned doing exactly what it appears you did in the end (or a manual variation).

Too bad I didn't notice this earlier.

Hi friends,

i dont warry about points...

dear   vsg375 and  CetusMOD   can i refund Points..  ?  i think points must go to Netman66



lpenrodAuthor Commented:
Cool with me.
Do whatever you think is fair.  I wasn't complaining - just making an observation.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.