Stopping a creator of a folder assigning rights

I need to give a user the ability to create files and folders within a shared folder on my Windows Server 2008 file server.  The top level folder is called Shared1.  I have removed the inherited Creator Owner at this level and added the user with Modify permissions,  Checking the Special Permissions list confirms that the user can read permissions but not change them or assign ownership.

When I test this solution I find that the user can in fact alter the permissions on any folder they create in Shared1 - giving other users access or taking access away.

This user is only a domain user and is not a member of any other groups.

What am I missing here?

Thanks
Glen_TTLAsked:
Who is Participating?
 
Steve KnightIT ConsultancyCommented:
As long as the user doesn't have Full Access permissions at the share level they can't change them at all i.e. don't leave it on "Everyone: full control" and rely on the NTFS permissions.  Set it to, say, Domain Admins: Full Control, Authenticated Users: Change and Read (i.e. Modify) or whatever groups are appropriate.

Steve
0
 
bbaoIT ConsultantCommented:
it sounds normal as it is by design.

> the user can in fact alter the permissions on any folder they create in Shared1

just double check, are the folders under Shared1 CREATED by this particular user? if yes, it is by design as the user is the owner who can certainly control everything the user created.
0
 
Steve KnightIT ConsultancyCommented:
Change the share permissions for the share they map to so the users get modify not full control then the maximum they have is modify rights.

Steve
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
CoralonCommented:
You aren't missing anything.. it is working as designed.  By default, the Owner of a file always has the ability to modify permissions.  

One possibility is to implement some sort of script that would watch for new folders and then immediately remove their ownership, or just on a periodic basis sweep your directory structure and change the owner.  (I'm not sure if regular 2008 has takeown.exe or if you have to download it -- it is definitely in R2).

Coralon
0
 
bbaoIT ConsultantCommented:
> as the user doesn't have Full Access permissions at the share level they can't change them at all

per the context, i guess the author does want to give write permissions to the users. the author just doesn't want the users to change ownership and control everything the author defined.
0
 
Glen_TTLAuthor Commented:
@ bbao - you are correct, I need to give the user the ability to create folders and subfolders, I just don't want them to change permissions.  This server is running within a school, so security is pretty important.

@ Steve Knight - I hadn't thought of using the share permissions to restrict the user - normally I just set share permissions to everyone, full control and then use NTFS permissions to apply the necessary rights.  Having just tried this on a test server, it does indeed seem to work - as soon as I remove Full Control from the share permissions, the user can create and delete files and folders but is prevented from changing permissions.

@Coralon - the use of takeown is certainly worth considering, although I'll give Steve's suggestion a try first :-)
0
 
bbaoIT ConsultantCommented:
> as soon as I remove Full Control from the share permissions, the user can create and delete files and folders but is prevented from changing permissions.

good to know the magic Full Control of SHARE permissions. honestly i never noticed the difference between Write and Full Control for SHARE permissions. like the author, i normally always use NTFS permissions.

thanks for sharing the hints. :)
0
 
Glen_TTLAuthor Commented:
Like you, I never appreciated there was a difference having both Read and Write selected versus Full Control.  Well, we live and learn!
0
 
Steve KnightIT ConsultancyCommented:
Glad it works, yes that is the function of it, -- back from days before NTFS drives so the permissions were at the Share level only.... together with no "map root" drives (\\server\users$\username) why so many systems have hundreds of shares originally with one per user home drive etc (yuk!).

Share permissions are the "most" rights that can be got for the user through that share, so are also useful for temporary restrictions, e.g. instantly turn a whole set of data read only to the users while you are working on it without changing any NTFS etc.

Now if the user can get to the same data through a different share aswell of course they would still have their NTFS permissions that way unless you change that too.

Except for special users who might need to adjust permissions share permissions should never be more than "change", adding your administrators with full control if you want to use the same shares to administer the data yourself.

Steve
0
 
Glen_TTLAuthor Commented:
Excellent suggestion from Steve - it seems to work perfectly.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.