Link to home
Start Free TrialLog in
Avatar of Intelli-Seeker
Intelli-SeekerFlag for United States of America

asked on

how do I prevent NTFS "change permissions" from being granted to the owner of files on Windows 2012 shared folder?

I'm trying to build a share where users can create and manage their own files, but not those belonging to others.  
Steps I've taken:
  1. I create the folder 'sharename', remove all inheritance
  2. add domain and local admins with "full Control" access.
  3. add "Creator/Owner" with all advanced permissions except "full Control", "Change permissions", and "Take ownership"
  4. add Authenticated Users with "Traverse folder/execute file", "List folder/read data", "Read attributes", "Create Files/write Data", and "Read permissions"
So here's the issue:  When USER_A creates a file on the share, their user ID becomes the owner of the file, and they should get all of the permissions granted to the owner as noted above, but what happens is that they get those, but in addition they also get the "change permissions" access.

Where does that "change permissions" access come from, and how can I prevent the user from getting it when they create a file?
Avatar of Robert Retzer
Robert Retzer
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Intelli-Seeker


I guess I should have realized this.  Getting caught up in the weeds a bit.  Thanks!
It happens to all of us.... we often need another person who may see the problem from a different angle. We all often over look the obvious. Thanks for awarding the points...