Solved

Prevent a file/folder owner from changing permissions -- or prevent users from becoming the owner of files/folders they create?

Posted on 2006-10-19
9
2,516 Views
1 Endorsement
Last Modified: 2012-08-13
I have noticed that, even though we've taken great care to ensure NTFS permisisons on our shared folders are set such that regular users cannot change permissions on files or folders WE create, they can change permissions on folders or files they themselves create, because they are the file/folder owners.

Is there a way to prevent owners of files/folders from changing permissions on those files and folders, or prevent regular users from becoming owner of files and folders they create?

I have tried denying CREATER OWNER the right to change permissions, but that doesn't seem to work the way I need it to.
1
Comment
Question by:fcaat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 17770153
there is a domain policy to enforce a "default" owner on newly created objects. This is a policy usually used on file servers defining usually the / a "local administrator" account to become default owner of these objects.

I thought this to be part of the "local security policies" wich can be defined locally on the machine, else please have a look at the GPO policies at domain level...

Regards,
0
 

Author Comment

by:fcaat
ID: 17770319
I see the setting you're talking about.  It's "System objects: Default owner for objects created by members of the Administrators group", and is explained here: http://technet2.microsoft.com/WindowsServer/en/library/094905e1-bfc8-4c9b-990a-6a7353d1950b1033.mspx?mfr=true.

Unfortunately it does not apply to newly created files or folders.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 125 total points
ID: 17770707
by default and with no way of changing that i know of, users that create files and folders are the owner, that is the nature of owership.....I am not sure if setting an ownership at the root and then propagating that setting down to sub folders will work

there are a few 3rp party appz that will let you change but its not automated as such and doesnt change the default settings
http://download2pc.com/Utilities_9/File_n_Disk_Management_104/Directory_Report_5397.html
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 4

Expert Comment

by:Shankadude
ID: 17772222
Perhaps I'm not getting the question right, but I think the solution is not to give users the Full Controll permission on NTFS level. That way they are unable to set/change permissions on files and folders, even on the ones they create themself.
Make sure that they're not in a group which gives them the FC permission on the particular data.

When you set/remove this permission there is no need to change anything with the owner. The user still stays owner of his data.

0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 125 total points
ID: 17777686
Owners of files and folders by default can change permissions - this isn't something you can change, it's how it works.

If it bothers you that much, then run a Scheduled task that uses this tool to change them:

http://support.microsoft.com/kb/320046

0
 
LVL 1

Expert Comment

by:Eric-arup
ID: 20273381
I know this is a year + old but I was searching for this exact same thing and wanted to add to it for any future reader

You can set the group policy on the user right assignment for "take ownership of the files or other object", you can then set the gpo under admin template, system, group policy, "group policy refresh interval" and lower it.  This will decrease the time between users creating folders and getting owner rights and the system refreshing the gpo and reseting the owner to your desired setting per the gpo.

Sure it still creates that small window where a user can do whatever they want in the folder they create.  On our side its an acceptable window.
0
 
LVL 2

Expert Comment

by:alkabello
ID: 23495718
If the share permissions are configured to 'Modify', users are NEVER owner or able to change permissions. we use Modify setting on all our file server shares.

The disadvantage is that users can never be assigned the priveledge to change their own permission without changing the chare permissions to full.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
idle mapped drive 10 73
SolarWind and DNS Server 12 107
PowerShell one liner to pull server names 3 68
Automate Windows Updates with SCCM 2 127
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question