Solved

Prevent a file/folder owner from changing permissions -- or prevent users from becoming the owner of files/folders they create?

Posted on 2006-10-19
9
2,475 Views
1 Endorsement
Last Modified: 2012-08-13
I have noticed that, even though we've taken great care to ensure NTFS permisisons on our shared folders are set such that regular users cannot change permissions on files or folders WE create, they can change permissions on folders or files they themselves create, because they are the file/folder owners.

Is there a way to prevent owners of files/folders from changing permissions on those files and folders, or prevent regular users from becoming owner of files and folders they create?

I have tried denying CREATER OWNER the right to change permissions, but that doesn't seem to work the way I need it to.
1
Comment
Question by:fcaat
9 Comments
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 17770153
there is a domain policy to enforce a "default" owner on newly created objects. This is a policy usually used on file servers defining usually the / a "local administrator" account to become default owner of these objects.

I thought this to be part of the "local security policies" wich can be defined locally on the machine, else please have a look at the GPO policies at domain level...

Regards,
0
 

Author Comment

by:fcaat
ID: 17770319
I see the setting you're talking about.  It's "System objects: Default owner for objects created by members of the Administrators group", and is explained here: http://technet2.microsoft.com/WindowsServer/en/library/094905e1-bfc8-4c9b-990a-6a7353d1950b1033.mspx?mfr=true.

Unfortunately it does not apply to newly created files or folders.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 125 total points
ID: 17770707
by default and with no way of changing that i know of, users that create files and folders are the owner, that is the nature of owership.....I am not sure if setting an ownership at the root and then propagating that setting down to sub folders will work

there are a few 3rp party appz that will let you change but its not automated as such and doesnt change the default settings
http://download2pc.com/Utilities_9/File_n_Disk_Management_104/Directory_Report_5397.html
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 4

Expert Comment

by:Shankadude
ID: 17772222
Perhaps I'm not getting the question right, but I think the solution is not to give users the Full Controll permission on NTFS level. That way they are unable to set/change permissions on files and folders, even on the ones they create themself.
Make sure that they're not in a group which gives them the FC permission on the particular data.

When you set/remove this permission there is no need to change anything with the owner. The user still stays owner of his data.

0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 125 total points
ID: 17777686
Owners of files and folders by default can change permissions - this isn't something you can change, it's how it works.

If it bothers you that much, then run a Scheduled task that uses this tool to change them:

http://support.microsoft.com/kb/320046

0
 
LVL 1

Expert Comment

by:Eric-arup
ID: 20273381
I know this is a year + old but I was searching for this exact same thing and wanted to add to it for any future reader

You can set the group policy on the user right assignment for "take ownership of the files or other object", you can then set the gpo under admin template, system, group policy, "group policy refresh interval" and lower it.  This will decrease the time between users creating folders and getting owner rights and the system refreshing the gpo and reseting the owner to your desired setting per the gpo.

Sure it still creates that small window where a user can do whatever they want in the folder they create.  On our side its an acceptable window.
0
 
LVL 2

Expert Comment

by:alkabello
ID: 23495718
If the share permissions are configured to 'Modify', users are NEVER owner or able to change permissions. we use Modify setting on all our file server shares.

The disadvantage is that users can never be assigned the priveledge to change their own permission without changing the chare permissions to full.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question