Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Revoke Permissions for creator owner on files Only

Posted on 2013-11-26
14
Medium Priority
?
819 Views
Last Modified: 2014-01-15
I have a folder structure in place with parent and subfolders. I need to run a script so that it will revoke the permissions of the user who created it for files only.

i.e. If a User copies a file to the folder the write permissions for the file regardless of the name should be revoked.

Can the SUBINACL command do this?
0
Comment
Question by:GulfIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +4
14 Comments
 
LVL 12

Expert Comment

by:Gregory Miller
ID: 39677400
Would it be easier to have a script that changes the ownership of all files in the folder in a scheduled process? This way the complexities of allowing someone to create but not write but still read without modify... etc... do not exist. Sounds very messy and hard to troubleshoot.
0
 
LVL 9

Expert Comment

by:VirastaR
ID: 39677455
0
 

Author Comment

by:GulfIT
ID: 39677495
Further on this i have found the subinacl command with the filesonly switch but it does not remove permissions from the subfolders.

Is there a command to revoke permissions from all the files in the directory structure?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 39677598
Take ownership of all folders and subfolders and add desired permissions using standard ACL.
0
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 39677682
Create the desired permissions on a file that you will use as template. Then use the following in powershell:

$path = "\path\to\files"
$template = "\path\to\template"
$templateACL = Get-Acl $template

$fileInfo = Get-ChildItem -path $path -Recurse:1 -file
foreach ($i in $fileInfo.fullname) {Set-Acl $i $templateACL}


Replace "\path\to\files" and "\path\to\template" with actual paths.

This will copy permissions from the template to all the files inside that folder, and only to files.

HTH,
Dan
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39677798
You need to replace Full control NTFS permissions with modify for all users and groups on the ACL except administrators.
Then You can remove "Creator owner" group with advanced NTFS permissions with replace option of folder root to remove owner of all files probably.

Once you remove "creator owner" group, then from next time user will not be able to take ownership and full rights of files

Mahesh
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1500 total points
ID: 39682487
No script needed. Simply setup NTFS permissions correctly:
For the user or user group, check the following boxes:
Screenshot
--However, all this will have no meaning, if we wouldn't set the share permissions to everyone:change (instead of everyone:full) as well!--
0
 

Author Comment

by:GulfIT
ID: 39682762
I need to revoke the permissions so that there even cannot write to the file. Thus a script running every night will need to take place.

The whole idea is the remove the write permissions to files that a perticular group is creating but these need to apply only to files not folders.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39683030
I know - I showed you how to set it up - it's tested. No need for a script.
If you are not satisfied, you can change the settings to "apply to files only"
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39683065
What you can do setup new shared folder with administrators full control and authenticated users Change share permissions.You should be logged on with account having administrators rights on server.

Now you need to go to NTFS security and 1st you need to remove inheritence on folder and then remove all users and groups including system, creator owner and so on.
Then add server\administrators with full control and authenticated users with read+write NTFS permissions on the folder and click apply.
Now edit advanced security permissions, revoke write attributes and write extended attributes from authenticated users and click apply.
Mcknife is correct, only you need to revoke above two permissions in addition as mentioned above.

Now users need to work on their document stored on their desktop and once they copied it to share folder, their access to that document will get revoke automatically
They cannot rename or edit the document.
Only they can read the document.They even can't overwrite the new document with same name

This is what I think you are looking for.
This is tested and working fine

Mahesh
0
 

Author Comment

by:GulfIT
ID: 39689213
Thanks for the update. I have applied the same permissions but cannot rename the folders.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39689275
I don't understand what you are saying ?

Do you want to rename the folder ?

Once you revoke write attributes and write extended attributes from folder root, you cannot rename \ overwrite \ modify files and folder.
User need to work on documents on their desktop \ workstations and then they only can copy the document in shared folder
Once document gets copied there, all their rights will get revoked except read.

If I am not wrong, this is what you are trying to achieve
Lets share you requirement please if you are not agreed with above

Mahesh
0
 

Author Closing Comment

by:GulfIT
ID: 39781574
Done
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39781715
Still not get any reply as what you are looking exactly for ?
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question