Link to home
Start Free TrialLog in
Avatar of Vincent D
Vincent DFlag for United States of America

asked on

NTFS Owner Permissions

Hi,
Do current owner permissions on NTFS volume on server 2008 R2/2012 R2 still guarantee that the owner can change permissions even when set with deny change permssions/full access for said volume/folder?
Avatar of Mohammed Khawaja
Mohammed Khawaja
Flag of Canada image

Most restrictive access applies and therefore users should not be about to change permissions.
Avatar of Vincent D

ASKER

It is my understanding that you are incorrect. The owner of a folder/volume can change permissions no matter what. Even if denied full access...
What I need to verify is if this is still true or if tech has improved upon it to give more config options in dealing with folder/volume owners
if you don't give the user full access share permissions they can't amend NTFS permissions full stop.

if you are an admin you can take ownership of course which overrides permissions, it works the same for file and folder owners who aren't admins if they are owners of those files

would normally suggest give users lowers access at share level and only anyone who is allowed to change permissions full access share permissions to that or a higher level share, or change then directly on the server drive of course.

Steve
@Steve I don't see where Vincent is talking about shares but "permissions on NTFS volume" and thus in that regard the owner can change permissions even if they are set to deny however since you are talking about a "NTFS volume" you will run into problems if the volume (meaning from the root level of the drive) is set to deny the owner access rights of change and full control. If you tell us what you are trying to accomplish or to fix maybe we can better guide you.
OWNER permissions are different from normal access permissions. If DENY permissions are set, the OWNER can change them or reset the permissions.
Steve you are correct. If someone is included in current owner for folder/volume are they always able to change permissions. Is there any way to block this ability to get around permissions in being a current owner
no. the point of owner is they can make changes, also that administrators can take ownership to regain control lost NTFS control.

As had been said before if this is related to anything accessed through share as opposed to directly on a server then you use share permissions and NTFS permissions too so there users can't change permissions etc.
Right so if someone is admin on server they will always have ability to change permissions or take ownership and then change permissions. So if someone was looking to pervent a junior admin from making permission changes then they should not be administrators but only have admin rights to the files/folders/printers or other  resources that they require. Do you concur?
is this mythical admin logged onto the console of the server or through an rdp connection, which if you don't trust them to do NTFS permissions they probably shouldn't be, or through accessing these files through a share?  if they are through a share just don't give them Full access share permissions.

please elaborate on scenario if needed.

Steve
RDP into server
ASKER CERTIFIED SOLUTION
Avatar of Steve Knight
Steve Knight
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Keep in mind changing these rights need to be done carefully because it is easy to mess up the other users who are also Admins that you do want to have control. You may be better off looking for some monitoring or auditing software to track and notify you when certain users do certain things you don't want them to. As noted by Steve, until we know the real end goal of what you are trying to accomplish there are many different approaches you can take.