I'm trying to build a share where users can create and manage their own files, but not those belonging to others.
Steps I've taken:
- I create the folder 'sharename', remove all inheritance
- add domain and local admins with "full Control" access.
- add "Creator/Owner" with all advanced permissions except "full Control", "Change permissions", and "Take ownership"
- add Authenticated Users with "Traverse folder/execute file", "List folder/read data", "Read attributes", "Create Files/write Data", and "Read permissions"
So here's the issue: When USER_A creates a file on the share, their user ID becomes the owner of the file, and they should get all of the permissions granted to the owner as noted above, but what happens is that they get those, but in addition they also get the "change permissions" access.
Where does that "change permissions" access come from, and how can I prevent the user from getting it when they create a file?