Re: NTFS folder permissions - Creator Owner issue (I think)

Roger,

Sorry, I was confusing the issue by calling it a group - I do realise its a
placeholder. From what you're telling me an owner has rights that cannot be
overridden. As we are allowing staff to create subfolders (they then become
the owner), we will not be able to prevent them having the rights of an
owner, which seems to include the right to change permissions whether we want
them to have that right or not.

Anyway, thanks for all your patience and help.

Regards,

Fiona


"Roger Abell [MVP]" wrote:

>
> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:266F5017-7818-439A-A60A-7D9B3498BBE3@xxxxxxxxxxxxxxxx
> > Roger,
> >
> > Thank you very much for your help.
> >
> > You're saying that this group can change permissions even when not
> > expressly
> > granted the permission to change permissions or denied it, but I have
> > never
>
> No, that is not what I said.
> I said that the owner of an object can change the object's permission
> whether the owner is (directly or indirectly) granted that permissions or
> even whether explicitly denied that permissions.
> I did not state this about the Creator Owner "group" but about the Owner.
>
> > read this anywhere, and can't seem to find any documentation on it on the
> > net. (I do believe you as I have seen the results!) I'd like to read up
> > on
> > the rights that this group has that I am not aware of.
> >
>
> It is not really a group, although it appears like one.
> Creator Owner is a placeholder. You will find its use is normally set
> to inherit onto contained/child objects. When a new object is created
> the grant to Creator Owner becomes a real grant to the creator or the
> permissions stated with the Creator Owner grant on the container.
> The account that creates the object does become owner, and does
> have the rights of an owner, not matter what is or is not granted with
> the use of Creator Owner.
>
> > We would really like to prevent users changing the permissions on folders
> > because they tend to lock themselves and IT support out of them. Do you
> > know
> > of any method of doing this?
> >
>
> You must take away ownership and then the NTFS security permissions
> will control their actions. While they own (as they do of anything they
> create)
> you can only hinder, not prevent.
>
>
> > "Roger Abell [MVP]" wrote:
> >
> >>
> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:77E028E8-8366-4069-A32A-F71710489B04@xxxxxxxxxxxxxxxx
> >> > Hi all,
> >> >
> >> > I need to set up the permissions on a folder so that:
> >> >
> >> > For users in Group 1:
> >> > Anyone can create a file or subfolder.
> >> > Anyone can edit any file.
> >> > Anyone can copy and paste any file or subfolder.
> >> > Only the owner can, delete, rename or move a file or folder
> >> > Anyone can view permissions
> >> > Noone can change permissions or take ownership
> >> >
> >>
> >> I doubt that that combination can be attained.
> >> The issue is in that some files are changed by use of a temp
> >> file that is renamed with the original deleted.
> >>
> >> > For users in Group 2:
> >> > They can create, edit, copy and paste, delete, rename or move any file
> >> > or folder, and view permissions.
> >> > They can not changer permissions or take ownership
> >> >
> >> > For Group 1, I ticked R&E, List, R and W in basic settings, and then
> >> > added
> >> > a
> >> > Creator Owner group to which I gave modify rights. This got me pretty
> >> > close
> >> > to what I need, except:
> >> >
> >> > (1) when trying to move a file or folder, an error message appears as
> >> > expected for the file, but the folder error message says '...cannot
> >> > copy...'
> >> > and then copies just the folder. I suppose it doesn't actually move it
> >> > but
> >> > this will be confusing for the users
> >> >
> >> > (2) test user can change the permissions on own folders, definitely
> >> > what I
> >> > don't want. (On checking the advanced permissions it explicitly shows
> >> > that
> >> > change permissions is NOT ticked)
> >>
> >> The owner can always change permissions even when they are not
> >> granted the permission to change permissions or denied it. Think of
> >> the permission to change permissions as something only important
> >> for non-owners.
> >>
> >> >
> >> > For permission set 2 I was thinking of giving Modify permissions but,
> >> > again,
> >> > this allows users to change permissions on their own folders.
> >> >
> >>
> >> It is not the Modify grant that allows this but being owner that does.
> >>
> >> > I wonder if there is a simple explanation?
> >> >
> >> > Regards
> >> >
> >> > Fiona Laufs
> >> >
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Shared folder security tab...Windows 2003 server
    ... If the user is not in the group shown as owner then they should not be able ... to change permissions because they are not owner assuming they do not have ... So lets say I just want to hide the security tab from the users. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: security flaw
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > SELECT permission denied on object 'authors', database 'pubs', owner ... > Go to Security Folder and check the users permissions there as well as its ... For information about the Microsoft Strategic Technology ...
    (microsoft.public.sqlserver.security)
  • Re: Object permissions
    ... Who is the owner of the query? ... permissions does the owner have on the underlying tables? ... does the user have on the query; ... to 'owners' in the sql statement each time the code runs, ...
    (microsoft.public.access.security)
  • Re: Security without signon
    ... I cannot change the owner of the ... rather than inherited permissions by virtue of group membership. ... the default Admin user is the same across all mdw files. ... accounts plus the account for my SuperUser and the account for my SuperGroup, ...
    (microsoft.public.access.security)
  • Re: Setting correct NTFS permissions on Home Folders
    ... Maybe I'm confused, but, I thought I did NOT want to make them the OWNER, ... While I originally did want to make all users OWNERS of their Home Folders, ... could actually remove or change rights and break inheritance, ... > Provided you users' home folders inherit permissions from parent folder, ...
    (microsoft.public.windows.file_system)