NTFS Owner Permissions

Do current owner permissions on NTFS volume on server 2008 R2/2012 R2 still guarantee that the owner can change permissions even when set with deny change permssions/full access for said volume/folder?
Vincent DAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Most restrictive access applies and therefore users should not be about to change permissions.
Vincent DAuthor Commented:
It is my understanding that you are incorrect. The owner of a folder/volume can change permissions no matter what. Even if denied full access...
Vincent DAuthor Commented:
What I need to verify is if this is still true or if tech has improved upon it to give more config options in dealing with folder/volume owners
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Steve KnightIT ConsultancyCommented:
if you don't give the user full access share permissions they can't amend NTFS permissions full stop.

if you are an admin you can take ownership of course which overrides permissions, it works the same for file and folder owners who aren't admins if they are owners of those files

would normally suggest give users lowers access at share level and only anyone who is allowed to change permissions full access share permissions to that or a higher level share, or change then directly on the server drive of course.

Lionel MMSmall Business IT ConsultantCommented:
@Steve I don't see where Vincent is talking about shares but "permissions on NTFS volume" and thus in that regard the owner can change permissions even if they are set to deny however since you are talking about a "NTFS volume" you will run into problems if the volume (meaning from the root level of the drive) is set to deny the owner access rights of change and full control. If you tell us what you are trying to accomplish or to fix maybe we can better guide you.
OWNER permissions are different from normal access permissions. If DENY permissions are set, the OWNER can change them or reset the permissions.
Vincent DAuthor Commented:
Steve you are correct. If someone is included in current owner for folder/volume are they always able to change permissions. Is there any way to block this ability to get around permissions in being a current owner
Steve KnightIT ConsultancyCommented:
no. the point of owner is they can make changes, also that administrators can take ownership to regain control lost NTFS control.

As had been said before if this is related to anything accessed through share as opposed to directly on a server then you use share permissions and NTFS permissions too so there users can't change permissions etc.
Vincent DAuthor Commented:
Right so if someone is admin on server they will always have ability to change permissions or take ownership and then change permissions. So if someone was looking to pervent a junior admin from making permission changes then they should not be administrators but only have admin rights to the files/folders/printers or other  resources that they require. Do you concur?
Steve KnightIT ConsultancyCommented:
is this mythical admin logged onto the console of the server or through an rdp connection, which if you don't trust them to do NTFS permissions they probably shouldn't be, or through accessing these files through a share?  if they are through a share just don't give them Full access share permissions.

please elaborate on scenario if needed.

Vincent DAuthor Commented:
RDP into server
Steve KnightIT ConsultancyCommented:
OK well then you may want to consider removing their user right "Take ownership of files or other objects" through local policy on the server or group policy, e.g. secpol.msc, Security settings, local policies, user rights assignment.  By default that is Administrators group which of course will normally include your domain admins or other group you allow the right to logon to your server through RDP.

Then they can't take ownership of anything existing that they don't have rights to.  Once on the server if they have full access rights through whatever group to a set of dirs or files then they can adjust those files so don't give them such access if so -- e.g. create a "Group_Helpdesk" or the like which can allow them to change certain files and to "logon locally" user right so they can logon to the server but isn't listed in the NTFS permissions which, say, contain Administrators or Domain Admins group.

Lots of ways of getting really deeply into nested levels of admins, especially for large companies who don't allow access in certain ways.  A lot of companies for instance will simply not allow junior admins and 1st line any admin access BUT will allow access to containers with shared permission groups in AD so they can add users to the relevant groups which are in the NTFS permissions already.

So what I am getting at is you need to work out what you DO want or DON'T want specifically and aim closest possible to that, asking here if wanted but at the moment we are just guessing really wahat you are trying to do.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lionel MMSmall Business IT ConsultantCommented:
Keep in mind changing these rights need to be done carefully because it is easy to mess up the other users who are also Admins that you do want to have control. You may be better off looking for some monitoring or auditing software to track and notify you when certain users do certain things you don't want them to. As noted by Steve, until we know the real end goal of what you are trying to accomplish there are many different approaches you can take.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.