I am setting up a new file server running Server 2012 R2. I have created shares for each department. For example, there is a Marketing share that only members of the Marketing group have modify access on. In this example, Mike is a member of the marketing group and has modify access to the Marketing folder.
My problem is that when Mike creates a folder / file within the Marketing folder that he is given Full Control of the object he created. Mike can then go in and set permissions on that object. I do not want to give Mike, or any other user, the rights to change permissions on the objects that they create.
During my research it seems that Microsoft introduced the "Owner Rights" principal beginning in Server 2008 to which you can set NTFS permission upon. I went ahead and added "Owner Rights" to the NTFS permissions on the Marketing folder and gave it Modify access. My permissions are as follows:
- Administrators (Full Control of This folder, subfolders and files)
- System (Full Control of This folder, subfolders and files)
- Creator Owner (Full Control of Subfolders and files only)
- Marketing Group (Modify of this folder, subfolders and files)
- Owner Rights (Modify of Subfolders and files only)
The problem with these permissions is that Mike can still edit the permissions of files and folders that he creates. If I remove "Creator Owner" then Mike can still create folders / files but he is no longer able to change the permissions on the item.
It was my understanding that "Owner Rights" would take precedence over "Creator Owner" but I may be wrong. If I am assigning "Owner Rights" to the Marketing share then is it safe to simply remove "Creator Owner"?