DigitalServices
asked on
Users with Modify permissions can also change permissions
We have Server 2003 on our servers. Users who have modify permissions on a file or folder can also reset permissions on that object. We are trying to find out how to prevent them from being able to do this. I look at the fine-grained permissions and cannot figure it out.
How about removing MODIFY permissions?
ASKER
but then the user can't create or change files, can he?
ASKER
PS - I will check, but it looks to me like 'Write' enables him to create files, but he needs modify in order to change existing files
Go into Advanced on the Security tab.
Select the Group you want to remove the permissions for.
Select the Edit button.
Either Uncheck Take Ownership and Change Permissions or place a check under Deny for these permissions.
Make sure it's not a group like Authenticated Users or the Administrators will lose the permissions too.
This should take care of that problem.
Select the Group you want to remove the permissions for.
Select the Edit button.
Either Uncheck Take Ownership and Change Permissions or place a check under Deny for these permissions.
Make sure it's not a group like Authenticated Users or the Administrators will lose the permissions too.
This should take care of that problem.
ASKER
Yes. Unfortunately, Change Permissions and Take Ownership are not ticked. We realise we could deny, and if we have to, we will. However, it seems a hack first to give something that you don't think you have given, and then to take it away.
BTW, I would have to do it by script, not using the GUI. We have about 15,000 users :-)
BTW, I would have to do it by script, not using the GUI. We have about 15,000 users :-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah. The light comes on. The user in question is owner, and therefore ... can change permissions. I think that is it. I will accept your answer once I have done a little testing. Thanks so much.
ASKER
Tested. Alas, this is not the answer. I created a file directly on the server, logged in as administrator. Checked ownership. It is owned by Administrators. My personal account has only Modify, not Full permissions. Yet on my XP machine, connected to the share containing that file, I can add or remove permissions for other users. I could, no doubt, block "change permissions" permissions for myself, and similarly for all users for their own stuff, but that certainly looks like a hack. I really want to understand what is going on and I don't.
ASKER
Double alas! this is the answer. I am afraid my normal (not admin) account isn't quite as normal as I had thought. Apologies. I will accept Netman66's solution, and thanks!
Hehe.. :o)
It happens to all of us at some point!
Thanks,
NM
It happens to all of us at some point!
Thanks,
NM