Users with Modify permissions can also change permissions

We have Server 2003 on our servers.  Users who have modify permissions on a file or folder can also reset permissions on that object.  We are trying to find out how to prevent them from being able to do this.  I look at the fine-grained permissions and cannot figure it out.
DigitalServicesAsked:
Who is Participating?
 
Netman66Connect With a Mentor Commented:
The only way these users can modify permissions is if they belong to another group that can - if you say those permissions are not checked and they still can change permissions then you need to figure out where those are coming from.

Of course, if they are the Owner then they can change permissions so check to see if they are.

0
 
Irwin SantosComputer Integration SpecialistCommented:
How about removing MODIFY permissions?
0
 
DigitalServicesAuthor Commented:
but then the user can't create or change files, can he?
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
DigitalServicesAuthor Commented:
PS - I will check, but it looks to me like 'Write' enables him to create files, but he needs modify in order to change existing files
0
 
Netman66Commented:
Go into Advanced on the Security tab.
Select the Group you want to remove the permissions for.
Select the Edit button.
Either Uncheck Take Ownership and Change Permissions or place a check under Deny for these permissions.
Make sure it's not a group like Authenticated Users or the Administrators will lose the permissions too.

This should take care of that problem.

0
 
DigitalServicesAuthor Commented:
Yes.  Unfortunately, Change Permissions and Take Ownership are not ticked.  We realise we could deny, and if we have to, we will.  However, it seems a hack first to give something that you don't  think you have given, and then to take it away.

BTW, I would have to do it by script, not using the GUI.  We have about 15,000 users :-)
0
 
DigitalServicesAuthor Commented:
Ah.  The light comes on.  The user in question is owner, and therefore ... can change permissions.  I think that is it.  I will accept your answer once I have done a little testing.  Thanks so much.
0
 
DigitalServicesAuthor Commented:
Tested.  Alas, this is not the answer.  I created a file directly on the server, logged in as administrator.  Checked ownership.  It is owned by Administrators.  My personal account has only Modify, not Full permissions.  Yet on my XP machine, connected to the share containing that file, I can add or remove permissions for other users.  I could, no doubt, block "change permissions" permissions for myself, and similarly for all users for their own stuff, but that certainly looks like a hack.  I really want to understand what is going on and I don't.  
0
 
DigitalServicesAuthor Commented:
Double alas!  this is the answer.  I am afraid my normal (not admin) account isn't quite as normal as I had thought.  Apologies.  I will accept Netman66's solution, and thanks!
0
 
Netman66Commented:
Hehe.. :o)

It happens to all of us at some point!

Thanks,
NM
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.