Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Prevent a file/folder owner from changing permissions -- or prevent users from becoming the owner of files/folders they create?

Posted on 2006-10-19
9
2,441 Views
1 Endorsement
Last Modified: 2012-08-13
I have noticed that, even though we've taken great care to ensure NTFS permisisons on our shared folders are set such that regular users cannot change permissions on files or folders WE create, they can change permissions on folders or files they themselves create, because they are the file/folder owners.

Is there a way to prevent owners of files/folders from changing permissions on those files and folders, or prevent regular users from becoming owner of files and folders they create?

I have tried denying CREATER OWNER the right to change permissions, but that doesn't seem to work the way I need it to.
1
Comment
Question by:fcaat
9 Comments
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 17770153
there is a domain policy to enforce a "default" owner on newly created objects. This is a policy usually used on file servers defining usually the / a "local administrator" account to become default owner of these objects.

I thought this to be part of the "local security policies" wich can be defined locally on the machine, else please have a look at the GPO policies at domain level...

Regards,
0
 

Author Comment

by:fcaat
ID: 17770319
I see the setting you're talking about.  It's "System objects: Default owner for objects created by members of the Administrators group", and is explained here: http://technet2.microsoft.com/WindowsServer/en/library/094905e1-bfc8-4c9b-990a-6a7353d1950b1033.mspx?mfr=true.

Unfortunately it does not apply to newly created files or folders.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 125 total points
ID: 17770707
by default and with no way of changing that i know of, users that create files and folders are the owner, that is the nature of owership.....I am not sure if setting an ownership at the root and then propagating that setting down to sub folders will work

there are a few 3rp party appz that will let you change but its not automated as such and doesnt change the default settings
http://download2pc.com/Utilities_9/File_n_Disk_Management_104/Directory_Report_5397.html
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 4

Expert Comment

by:Shankadude
ID: 17772222
Perhaps I'm not getting the question right, but I think the solution is not to give users the Full Controll permission on NTFS level. That way they are unable to set/change permissions on files and folders, even on the ones they create themself.
Make sure that they're not in a group which gives them the FC permission on the particular data.

When you set/remove this permission there is no need to change anything with the owner. The user still stays owner of his data.

0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 125 total points
ID: 17777686
Owners of files and folders by default can change permissions - this isn't something you can change, it's how it works.

If it bothers you that much, then run a Scheduled task that uses this tool to change them:

http://support.microsoft.com/kb/320046

0
 
LVL 1

Expert Comment

by:Eric-arup
ID: 20273381
I know this is a year + old but I was searching for this exact same thing and wanted to add to it for any future reader

You can set the group policy on the user right assignment for "take ownership of the files or other object", you can then set the gpo under admin template, system, group policy, "group policy refresh interval" and lower it.  This will decrease the time between users creating folders and getting owner rights and the system refreshing the gpo and reseting the owner to your desired setting per the gpo.

Sure it still creates that small window where a user can do whatever they want in the folder they create.  On our side its an acceptable window.
0
 
LVL 2

Expert Comment

by:alkabello
ID: 23495718
If the share permissions are configured to 'Modify', users are NEVER owner or able to change permissions. we use Modify setting on all our file server shares.

The disadvantage is that users can never be assigned the priveledge to change their own permission without changing the chare permissions to full.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question