how do I prevent NTFS "change permissions" from being granted to the owner of files on Windows 2012 shared folder?
I'm trying to build a share where users can create and manage their own files, but not those belonging to others.
Steps I've taken:
So here's the issue: When USER_A creates a file on the share, their user ID becomes the owner of the file, and they should get all of the permissions granted to the owner as noted above, but what happens is that they get those, but in addition they also get the "change permissions" access.
Where does that "change permissions" access come from, and how can I prevent the user from getting it when they create a file?
Steps I've taken:
- I create the folder 'sharename', remove all inheritance
- add domain and local admins with "full Control" access.
- add "Creator/Owner" with all advanced permissions except "full Control", "Change permissions", and "Take ownership"
- add Authenticated Users with "Traverse folder/execute file", "List folder/read data", "Read attributes", "Create Files/write Data", and "Read permissions"
So here's the issue: When USER_A creates a file on the share, their user ID becomes the owner of the file, and they should get all of the permissions granted to the owner as noted above, but what happens is that they get those, but in addition they also get the "change permissions" access.
Where does that "change permissions" access come from, and how can I prevent the user from getting it when they create a file?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It happens to all of us.... we often need another person who may see the problem from a different angle. We all often over look the obvious. Thanks for awarding the points...
ASKER