Stopping a creator of a folder assigning rights
I need to give a user the ability to create files and folders within a shared folder on my Windows Server 2008 file server. The top level folder is called Shared1. I have removed the inherited Creator Owner at this level and added the user with Modify permissions, Checking the Special Permissions list confirms that the user can read permissions but not change them or assign ownership.
When I test this solution I find that the user can in fact alter the permissions on any folder they create in Shared1 - giving other users access or taking access away.
This user is only a domain user and is not a member of any other groups.
What am I missing here?
Thanks
When I test this solution I find that the user can in fact alter the permissions on any folder they create in Shared1 - giving other users access or taking access away.
This user is only a domain user and is not a member of any other groups.
What am I missing here?
Thanks
Change the share permissions for the share they map to so the users get modify not full control then the maximum they have is modify rights.
Steve
Steve
You aren't missing anything.. it is working as designed. By default, the Owner of a file always has the ability to modify permissions.
One possibility is to implement some sort of script that would watch for new folders and then immediately remove their ownership, or just on a periodic basis sweep your directory structure and change the owner. (I'm not sure if regular 2008 has takeown.exe or if you have to download it -- it is definitely in R2).
Coralon
One possibility is to implement some sort of script that would watch for new folders and then immediately remove their ownership, or just on a periodic basis sweep your directory structure and change the owner. (I'm not sure if regular 2008 has takeown.exe or if you have to download it -- it is definitely in R2).
Coralon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> as the user doesn't have Full Access permissions at the share level they can't change them at all
per the context, i guess the author does want to give write permissions to the users. the author just doesn't want the users to change ownership and control everything the author defined.
per the context, i guess the author does want to give write permissions to the users. the author just doesn't want the users to change ownership and control everything the author defined.
ASKER
@ bbao - you are correct, I need to give the user the ability to create folders and subfolders, I just don't want them to change permissions. This server is running within a school, so security is pretty important.
@ Steve Knight - I hadn't thought of using the share permissions to restrict the user - normally I just set share permissions to everyone, full control and then use NTFS permissions to apply the necessary rights. Having just tried this on a test server, it does indeed seem to work - as soon as I remove Full Control from the share permissions, the user can create and delete files and folders but is prevented from changing permissions.
@Coralon - the use of takeown is certainly worth considering, although I'll give Steve's suggestion a try first :-)
@ Steve Knight - I hadn't thought of using the share permissions to restrict the user - normally I just set share permissions to everyone, full control and then use NTFS permissions to apply the necessary rights. Having just tried this on a test server, it does indeed seem to work - as soon as I remove Full Control from the share permissions, the user can create and delete files and folders but is prevented from changing permissions.
@Coralon - the use of takeown is certainly worth considering, although I'll give Steve's suggestion a try first :-)
> as soon as I remove Full Control from the share permissions, the user can create and delete files and folders but is prevented from changing permissions.
good to know the magic Full Control of SHARE permissions. honestly i never noticed the difference between Write and Full Control for SHARE permissions. like the author, i normally always use NTFS permissions.
thanks for sharing the hints. :)
good to know the magic Full Control of SHARE permissions. honestly i never noticed the difference between Write and Full Control for SHARE permissions. like the author, i normally always use NTFS permissions.
thanks for sharing the hints. :)
ASKER
Like you, I never appreciated there was a difference having both Read and Write selected versus Full Control. Well, we live and learn!
Glad it works, yes that is the function of it, -- back from days before NTFS drives so the permissions were at the Share level only.... together with no "map root" drives (\\server\users$\username)
Share permissions are the "most" rights that can be got for the user through that share, so are also useful for temporary restrictions, e.g. instantly turn a whole set of data read only to the users while you are working on it without changing any NTFS etc.
Now if the user can get to the same data through a different share aswell of course they would still have their NTFS permissions that way unless you change that too.
Except for special users who might need to adjust permissions share permissions should never be more than "change", adding your administrators with full control if you want to use the same shares to administer the data yourself.
Steve
Share permissions are the "most" rights that can be got for the user through that share, so are also useful for temporary restrictions, e.g. instantly turn a whole set of data read only to the users while you are working on it without changing any NTFS etc.
Now if the user can get to the same data through a different share aswell of course they would still have their NTFS permissions that way unless you change that too.
Except for special users who might need to adjust permissions share permissions should never be more than "change", adding your administrators with full control if you want to use the same shares to administer the data yourself.
Steve
ASKER
Excellent suggestion from Steve - it seems to work perfectly.
> the user can in fact alter the permissions on any folder they create in Shared1
just double check, are the folders under Shared1 CREATED by this particular user? if yes, it is by design as the user is the owner who can certainly control everything the user created.