Solved

Prevent a file/folder owner from changing permissions -- or prevent users from becoming the owner of files/folders they create?

Posted on 2006-10-19
9
2,588 Views
1 Endorsement
Last Modified: 2012-08-13
I have noticed that, even though we've taken great care to ensure NTFS permisisons on our shared folders are set such that regular users cannot change permissions on files or folders WE create, they can change permissions on folders or files they themselves create, because they are the file/folder owners.

Is there a way to prevent owners of files/folders from changing permissions on those files and folders, or prevent regular users from becoming owner of files and folders they create?

I have tried denying CREATER OWNER the right to change permissions, but that doesn't seem to work the way I need it to.
1
Comment
Question by:fcaat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 17770153
there is a domain policy to enforce a "default" owner on newly created objects. This is a policy usually used on file servers defining usually the / a "local administrator" account to become default owner of these objects.

I thought this to be part of the "local security policies" wich can be defined locally on the machine, else please have a look at the GPO policies at domain level...

Regards,
0
 

Author Comment

by:fcaat
ID: 17770319
I see the setting you're talking about.  It's "System objects: Default owner for objects created by members of the Administrators group", and is explained here: http://technet2.microsoft.com/WindowsServer/en/library/094905e1-bfc8-4c9b-990a-6a7353d1950b1033.mspx?mfr=true.

Unfortunately it does not apply to newly created files or folders.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 125 total points
ID: 17770707
by default and with no way of changing that i know of, users that create files and folders are the owner, that is the nature of owership.....I am not sure if setting an ownership at the root and then propagating that setting down to sub folders will work

there are a few 3rp party appz that will let you change but its not automated as such and doesnt change the default settings
http://download2pc.com/Utilities_9/File_n_Disk_Management_104/Directory_Report_5397.html
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 4

Expert Comment

by:Shankadude
ID: 17772222
Perhaps I'm not getting the question right, but I think the solution is not to give users the Full Controll permission on NTFS level. That way they are unable to set/change permissions on files and folders, even on the ones they create themself.
Make sure that they're not in a group which gives them the FC permission on the particular data.

When you set/remove this permission there is no need to change anything with the owner. The user still stays owner of his data.

0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 125 total points
ID: 17777686
Owners of files and folders by default can change permissions - this isn't something you can change, it's how it works.

If it bothers you that much, then run a Scheduled task that uses this tool to change them:

http://support.microsoft.com/kb/320046

0
 
LVL 1

Expert Comment

by:Eric-arup
ID: 20273381
I know this is a year + old but I was searching for this exact same thing and wanted to add to it for any future reader

You can set the group policy on the user right assignment for "take ownership of the files or other object", you can then set the gpo under admin template, system, group policy, "group policy refresh interval" and lower it.  This will decrease the time between users creating folders and getting owner rights and the system refreshing the gpo and reseting the owner to your desired setting per the gpo.

Sure it still creates that small window where a user can do whatever they want in the folder they create.  On our side its an acceptable window.
0
 
LVL 2

Expert Comment

by:alkabello
ID: 23495718
If the share permissions are configured to 'Modify', users are NEVER owner or able to change permissions. we use Modify setting on all our file server shares.

The disadvantage is that users can never be assigned the priveledge to change their own permission without changing the chare permissions to full.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question