Vincent D
asked on
NTFS Owner Permissions
Hi,
Do current owner permissions on NTFS volume on server 2008 R2/2012 R2 still guarantee that the owner can change permissions even when set with deny change permssions/full access for said volume/folder?
Do current owner permissions on NTFS volume on server 2008 R2/2012 R2 still guarantee that the owner can change permissions even when set with deny change permssions/full access for said volume/folder?
Most restrictive access applies and therefore users should not be about to change permissions.
ASKER
It is my understanding that you are incorrect. The owner of a folder/volume can change permissions no matter what. Even if denied full access...
ASKER
What I need to verify is if this is still true or if tech has improved upon it to give more config options in dealing with folder/volume owners
if you don't give the user full access share permissions they can't amend NTFS permissions full stop.
if you are an admin you can take ownership of course which overrides permissions, it works the same for file and folder owners who aren't admins if they are owners of those files
would normally suggest give users lowers access at share level and only anyone who is allowed to change permissions full access share permissions to that or a higher level share, or change then directly on the server drive of course.
Steve
if you are an admin you can take ownership of course which overrides permissions, it works the same for file and folder owners who aren't admins if they are owners of those files
would normally suggest give users lowers access at share level and only anyone who is allowed to change permissions full access share permissions to that or a higher level share, or change then directly on the server drive of course.
Steve
@Steve I don't see where Vincent is talking about shares but "permissions on NTFS volume" and thus in that regard the owner can change permissions even if they are set to deny however since you are talking about a "NTFS volume" you will run into problems if the volume (meaning from the root level of the drive) is set to deny the owner access rights of change and full control. If you tell us what you are trying to accomplish or to fix maybe we can better guide you.
OWNER permissions are different from normal access permissions. If DENY permissions are set, the OWNER can change them or reset the permissions.
ASKER
Steve you are correct. If someone is included in current owner for folder/volume are they always able to change permissions. Is there any way to block this ability to get around permissions in being a current owner
no. the point of owner is they can make changes, also that administrators can take ownership to regain control lost NTFS control.
As had been said before if this is related to anything accessed through share as opposed to directly on a server then you use share permissions and NTFS permissions too so there users can't change permissions etc.
As had been said before if this is related to anything accessed through share as opposed to directly on a server then you use share permissions and NTFS permissions too so there users can't change permissions etc.
ASKER
Right so if someone is admin on server they will always have ability to change permissions or take ownership and then change permissions. So if someone was looking to pervent a junior admin from making permission changes then they should not be administrators but only have admin rights to the files/folders/printers or other resources that they require. Do you concur?
is this mythical admin logged onto the console of the server or through an rdp connection, which if you don't trust them to do NTFS permissions they probably shouldn't be, or through accessing these files through a share? if they are through a share just don't give them Full access share permissions.
please elaborate on scenario if needed.
Steve
please elaborate on scenario if needed.
Steve
ASKER
RDP into server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Keep in mind changing these rights need to be done carefully because it is easy to mess up the other users who are also Admins that you do want to have control. You may be better off looking for some monitoring or auditing software to track and notify you when certain users do certain things you don't want them to. As noted by Steve, until we know the real end goal of what you are trying to accomplish there are many different approaches you can take.