Prevent a file/folder owner from changing permissions -- or prevent users from becoming the owner of files/folders they create?

I have noticed that, even though we've taken great care to ensure NTFS permisisons on our shared folders are set such that regular users cannot change permissions on files or folders WE create, they can change permissions on folders or files they themselves create, because they are the file/folder owners.

Is there a way to prevent owners of files/folders from changing permissions on those files and folders, or prevent regular users from becoming owner of files and folders they create?

I have tried denying CREATER OWNER the right to change permissions, but that doesn't seem to work the way I need it to.
fcaatAsked:
Who is Participating?
 
Jay_Jay70Commented:
by default and with no way of changing that i know of, users that create files and folders are the owner, that is the nature of owership.....I am not sure if setting an ownership at the root and then propagating that setting down to sub folders will work

there are a few 3rp party appz that will let you change but its not automated as such and doesnt change the default settings
http://download2pc.com/Utilities_9/File_n_Disk_Management_104/Directory_Report_5397.html
0
 
Chris GralikeSpecialistCommented:
there is a domain policy to enforce a "default" owner on newly created objects. This is a policy usually used on file servers defining usually the / a "local administrator" account to become default owner of these objects.

I thought this to be part of the "local security policies" wich can be defined locally on the machine, else please have a look at the GPO policies at domain level...

Regards,
0
 
fcaatAuthor Commented:
I see the setting you're talking about.  It's "System objects: Default owner for objects created by members of the Administrators group", and is explained here: http://technet2.microsoft.com/WindowsServer/en/library/094905e1-bfc8-4c9b-990a-6a7353d1950b1033.mspx?mfr=true.

Unfortunately it does not apply to newly created files or folders.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
ShankadudeCommented:
Perhaps I'm not getting the question right, but I think the solution is not to give users the Full Controll permission on NTFS level. That way they are unable to set/change permissions on files and folders, even on the ones they create themself.
Make sure that they're not in a group which gives them the FC permission on the particular data.

When you set/remove this permission there is no need to change anything with the owner. The user still stays owner of his data.

0
 
Netman66Commented:
Owners of files and folders by default can change permissions - this isn't something you can change, it's how it works.

If it bothers you that much, then run a Scheduled task that uses this tool to change them:

http://support.microsoft.com/kb/320046

0
 
Eric-arupCommented:
I know this is a year + old but I was searching for this exact same thing and wanted to add to it for any future reader

You can set the group policy on the user right assignment for "take ownership of the files or other object", you can then set the gpo under admin template, system, group policy, "group policy refresh interval" and lower it.  This will decrease the time between users creating folders and getting owner rights and the system refreshing the gpo and reseting the owner to your desired setting per the gpo.

Sure it still creates that small window where a user can do whatever they want in the folder they create.  On our side its an acceptable window.
0
 
alkabelloCommented:
If the share permissions are configured to 'Modify', users are NEVER owner or able to change permissions. we use Modify setting on all our file server shares.

The disadvantage is that users can never be assigned the priveledge to change their own permission without changing the chare permissions to full.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.