?
Solved

Users with Modify permissions can also change permissions

Posted on 2006-05-23
10
Medium Priority
?
187 Views
Last Modified: 2011-09-20
We have Server 2003 on our servers.  Users who have modify permissions on a file or folder can also reset permissions on that object.  We are trying to find out how to prevent them from being able to do this.  I look at the fine-grained permissions and cannot figure it out.
0
Comment
Question by:DigitalServices
  • 6
  • 3
10 Comments
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16746613
How about removing MODIFY permissions?
0
 

Author Comment

by:DigitalServices
ID: 16746638
but then the user can't create or change files, can he?
0
 

Author Comment

by:DigitalServices
ID: 16746648
PS - I will check, but it looks to me like 'Write' enables him to create files, but he needs modify in order to change existing files
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 51

Expert Comment

by:Netman66
ID: 16748029
Go into Advanced on the Security tab.
Select the Group you want to remove the permissions for.
Select the Edit button.
Either Uncheck Take Ownership and Change Permissions or place a check under Deny for these permissions.
Make sure it's not a group like Authenticated Users or the Administrators will lose the permissions too.

This should take care of that problem.

0
 

Author Comment

by:DigitalServices
ID: 16748084
Yes.  Unfortunately, Change Permissions and Take Ownership are not ticked.  We realise we could deny, and if we have to, we will.  However, it seems a hack first to give something that you don't  think you have given, and then to take it away.

BTW, I would have to do it by script, not using the GUI.  We have about 15,000 users :-)
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 16750208
The only way these users can modify permissions is if they belong to another group that can - if you say those permissions are not checked and they still can change permissions then you need to figure out where those are coming from.

Of course, if they are the Owner then they can change permissions so check to see if they are.

0
 

Author Comment

by:DigitalServices
ID: 16754995
Ah.  The light comes on.  The user in question is owner, and therefore ... can change permissions.  I think that is it.  I will accept your answer once I have done a little testing.  Thanks so much.
0
 

Author Comment

by:DigitalServices
ID: 16780956
Tested.  Alas, this is not the answer.  I created a file directly on the server, logged in as administrator.  Checked ownership.  It is owned by Administrators.  My personal account has only Modify, not Full permissions.  Yet on my XP machine, connected to the share containing that file, I can add or remove permissions for other users.  I could, no doubt, block "change permissions" permissions for myself, and similarly for all users for their own stuff, but that certainly looks like a hack.  I really want to understand what is going on and I don't.  
0
 

Author Comment

by:DigitalServices
ID: 16781083
Double alas!  this is the answer.  I am afraid my normal (not admin) account isn't quite as normal as I had thought.  Apologies.  I will accept Netman66's solution, and thanks!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16781150
Hehe.. :o)

It happens to all of us at some point!

Thanks,
NM
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question