Re: NTFS folder permissions - Creator Owner issue (I think)
- From: "Paul Baker" <paulb@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 12:39:29 -0500
Are you aware that you can prevent permissions being given to the Creator
Owner when they create a folder simply by removing the CREATOR OWNER access
control. It's default, not hardcoded, behaviour.
Paul
"F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:66363F0F-1388-4A12-89DB-97761A246275@xxxxxxxxxxxxxxxx
> Roger,
>
> Sorry, I was confusing the issue by calling it a group - I do realise its
> a
> placeholder. From what you're telling me an owner has rights that cannot
> be
> overridden. As we are allowing staff to create subfolders (they then
> become
> the owner), we will not be able to prevent them having the rights of an
> owner, which seems to include the right to change permissions whether we
> want
> them to have that right or not.
>
> Anyway, thanks for all your patience and help.
>
> Regards,
>
> Fiona
>
>
> "Roger Abell [MVP]" wrote:
>
>>
>> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:266F5017-7818-439A-A60A-7D9B3498BBE3@xxxxxxxxxxxxxxxx
>> > Roger,
>> >
>> > Thank you very much for your help.
>> >
>> > You're saying that this group can change permissions even when not
>> > expressly
>> > granted the permission to change permissions or denied it, but I have
>> > never
>>
>> No, that is not what I said.
>> I said that the owner of an object can change the object's permission
>> whether the owner is (directly or indirectly) granted that permissions or
>> even whether explicitly denied that permissions.
>> I did not state this about the Creator Owner "group" but about the Owner.
>>
>> > read this anywhere, and can't seem to find any documentation on it on
>> > the
>> > net. (I do believe you as I have seen the results!) I'd like to read
>> > up
>> > on
>> > the rights that this group has that I am not aware of.
>> >
>>
>> It is not really a group, although it appears like one.
>> Creator Owner is a placeholder. You will find its use is normally set
>> to inherit onto contained/child objects. When a new object is created
>> the grant to Creator Owner becomes a real grant to the creator or the
>> permissions stated with the Creator Owner grant on the container.
>> The account that creates the object does become owner, and does
>> have the rights of an owner, not matter what is or is not granted with
>> the use of Creator Owner.
>>
>> > We would really like to prevent users changing the permissions on
>> > folders
>> > because they tend to lock themselves and IT support out of them. Do
>> > you
>> > know
>> > of any method of doing this?
>> >
>>
>> You must take away ownership and then the NTFS security permissions
>> will control their actions. While they own (as they do of anything they
>> create)
>> you can only hinder, not prevent.
>>
>>
>> > "Roger Abell [MVP]" wrote:
>> >
>> >>
>> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:77E028E8-8366-4069-A32A-F71710489B04@xxxxxxxxxxxxxxxx
>> >> > Hi all,
>> >> >
>> >> > I need to set up the permissions on a folder so that:
>> >> >
>> >> > For users in Group 1:
>> >> > Anyone can create a file or subfolder.
>> >> > Anyone can edit any file.
>> >> > Anyone can copy and paste any file or subfolder.
>> >> > Only the owner can, delete, rename or move a file or folder
>> >> > Anyone can view permissions
>> >> > Noone can change permissions or take ownership
>> >> >
>> >>
>> >> I doubt that that combination can be attained.
>> >> The issue is in that some files are changed by use of a temp
>> >> file that is renamed with the original deleted.
>> >>
>> >> > For users in Group 2:
>> >> > They can create, edit, copy and paste, delete, rename or move any
>> >> > file
>> >> > or folder, and view permissions.
>> >> > They can not changer permissions or take ownership
>> >> >
>> >> > For Group 1, I ticked R&E, List, R and W in basic settings, and then
>> >> > added
>> >> > a
>> >> > Creator Owner group to which I gave modify rights. This got me
>> >> > pretty
>> >> > close
>> >> > to what I need, except:
>> >> >
>> >> > (1) when trying to move a file or folder, an error message appears
>> >> > as
>> >> > expected for the file, but the folder error message says '...cannot
>> >> > copy...'
>> >> > and then copies just the folder. I suppose it doesn't actually move
>> >> > it
>> >> > but
>> >> > this will be confusing for the users
>> >> >
>> >> > (2) test user can change the permissions on own folders, definitely
>> >> > what I
>> >> > don't want. (On checking the advanced permissions it explicitly
>> >> > shows
>> >> > that
>> >> > change permissions is NOT ticked)
>> >>
>> >> The owner can always change permissions even when they are not
>> >> granted the permission to change permissions or denied it. Think of
>> >> the permission to change permissions as something only important
>> >> for non-owners.
>> >>
>> >> >
>> >> > For permission set 2 I was thinking of giving Modify permissions
>> >> > but,
>> >> > again,
>> >> > this allows users to change permissions on their own folders.
>> >> >
>> >>
>> >> It is not the Modify grant that allows this but being owner that does.
>> >>
>> >> > I wonder if there is a simple explanation?
>> >> >
>> >> > Regards
>> >> >
>> >> > Fiona Laufs
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>
.
- Follow-Ups:
- References:
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Roger Abell [MVP]
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: F Laufs
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Roger Abell [MVP]
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: F Laufs
- Re: NTFS folder permissions - Creator Owner issue (I think)
- Prev by Date: Re: NTFS folder permissions - Creator Owner issue (I think)
- Next by Date: Re: VIRUS TOTAL RESULTS
- Previous by thread: Re: NTFS folder permissions - Creator Owner issue (I think)
- Next by thread: Re: NTFS folder permissions - Creator Owner issue (I think)
- Index(es):
Relevant Pages
|
