Re: NTFS folder permissions - Creator Owner issue (I think)

Yes, I figured out that if I took the creator owner placeholder out of the
list then I woudlnt have this problme from reading other peoples posts.
However, I am using the creator owner placeholder to ensure that staff can
only delete their own files and folders and not other peoples.

Users get Read & Execute, List Folder Contents, Read and Write, and the
Creator-Owner gets Modify.

Maybe there's another way of getting the same result?

Regards,

Fiona

"Paul Baker" wrote:

> Are you aware that you can prevent permissions being given to the Creator
> Owner when they create a folder simply by removing the CREATOR OWNER access
> control. It's default, not hardcoded, behaviour.
>
> Paul
>
> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:66363F0F-1388-4A12-89DB-97761A246275@xxxxxxxxxxxxxxxx
> > Roger,
> >
> > Sorry, I was confusing the issue by calling it a group - I do realise its
> > a
> > placeholder. From what you're telling me an owner has rights that cannot
> > be
> > overridden. As we are allowing staff to create subfolders (they then
> > become
> > the owner), we will not be able to prevent them having the rights of an
> > owner, which seems to include the right to change permissions whether we
> > want
> > them to have that right or not.
> >
> > Anyway, thanks for all your patience and help.
> >
> > Regards,
> >
> > Fiona
> >
> >
> > "Roger Abell [MVP]" wrote:
> >
> >>
> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:266F5017-7818-439A-A60A-7D9B3498BBE3@xxxxxxxxxxxxxxxx
> >> > Roger,
> >> >
> >> > Thank you very much for your help.
> >> >
> >> > You're saying that this group can change permissions even when not
> >> > expressly
> >> > granted the permission to change permissions or denied it, but I have
> >> > never
> >>
> >> No, that is not what I said.
> >> I said that the owner of an object can change the object's permission
> >> whether the owner is (directly or indirectly) granted that permissions or
> >> even whether explicitly denied that permissions.
> >> I did not state this about the Creator Owner "group" but about the Owner.
> >>
> >> > read this anywhere, and can't seem to find any documentation on it on
> >> > the
> >> > net. (I do believe you as I have seen the results!) I'd like to read
> >> > up
> >> > on
> >> > the rights that this group has that I am not aware of.
> >> >
> >>
> >> It is not really a group, although it appears like one.
> >> Creator Owner is a placeholder. You will find its use is normally set
> >> to inherit onto contained/child objects. When a new object is created
> >> the grant to Creator Owner becomes a real grant to the creator or the
> >> permissions stated with the Creator Owner grant on the container.
> >> The account that creates the object does become owner, and does
> >> have the rights of an owner, not matter what is or is not granted with
> >> the use of Creator Owner.
> >>
> >> > We would really like to prevent users changing the permissions on
> >> > folders
> >> > because they tend to lock themselves and IT support out of them. Do
> >> > you
> >> > know
> >> > of any method of doing this?
> >> >
> >>
> >> You must take away ownership and then the NTFS security permissions
> >> will control their actions. While they own (as they do of anything they
> >> create)
> >> you can only hinder, not prevent.
> >>
> >>
> >> > "Roger Abell [MVP]" wrote:
> >> >
> >> >>
> >> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:77E028E8-8366-4069-A32A-F71710489B04@xxxxxxxxxxxxxxxx
> >> >> > Hi all,
> >> >> >
> >> >> > I need to set up the permissions on a folder so that:
> >> >> >
> >> >> > For users in Group 1:
> >> >> > Anyone can create a file or subfolder.
> >> >> > Anyone can edit any file.
> >> >> > Anyone can copy and paste any file or subfolder.
> >> >> > Only the owner can, delete, rename or move a file or folder
> >> >> > Anyone can view permissions
> >> >> > Noone can change permissions or take ownership
> >> >> >
> >> >>
> >> >> I doubt that that combination can be attained.
> >> >> The issue is in that some files are changed by use of a temp
> >> >> file that is renamed with the original deleted.
> >> >>
> >> >> > For users in Group 2:
> >> >> > They can create, edit, copy and paste, delete, rename or move any
> >> >> > file
> >> >> > or folder, and view permissions.
> >> >> > They can not changer permissions or take ownership
> >> >> >
> >> >> > For Group 1, I ticked R&E, List, R and W in basic settings, and then
> >> >> > added
> >> >> > a
> >> >> > Creator Owner group to which I gave modify rights. This got me
> >> >> > pretty
> >> >> > close
> >> >> > to what I need, except:
> >> >> >
> >> >> > (1) when trying to move a file or folder, an error message appears
> >> >> > as
> >> >> > expected for the file, but the folder error message says '...cannot
> >> >> > copy...'
> >> >> > and then copies just the folder. I suppose it doesn't actually move
> >> >> > it
> >> >> > but
> >> >> > this will be confusing for the users
> >> >> >
> >> >> > (2) test user can change the permissions on own folders, definitely
> >> >> > what I
> >> >> > don't want. (On checking the advanced permissions it explicitly
> >> >> > shows
> >> >> > that
> >> >> > change permissions is NOT ticked)
> >> >>
> >> >> The owner can always change permissions even when they are not
> >> >> granted the permission to change permissions or denied it. Think of
> >> >> the permission to change permissions as something only important
> >> >> for non-owners.
> >> >>
> >> >> >
> >> >> > For permission set 2 I was thinking of giving Modify permissions
> >> >> > but,
> >> >> > again,
> >> >> > this allows users to change permissions on their own folders.
> >> >> >
> >> >>
> >> >> It is not the Modify grant that allows this but being owner that does.
> >> >>
> >> >> > I wonder if there is a simple explanation?
> >> >> >
> >> >> > Regards
> >> >> >
> >> >> > Fiona Laufs
> >> >> >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Folder permission
    ... The owner of an object will always be able to do anything with it. ... The only way to prevent that individual from altering the permissions ... >> Creator Owner normal use is to apply to things created within the place ... >>> the folder had been remove inherit and copy all permisson to this ...
    (microsoft.public.win2000.security)
  • Re: NTFS folder permissions - Creator Owner issue (I think)
    ... Are you aware that you can prevent permissions being given to the Creator ... Owner when they create a folder simply by removing the CREATOR OWNER access ... which seems to include the right to change permissions whether we ...
    (microsoft.public.security)
  • Re: NTFS folder permissions - Creator Owner issue (I think)
    ... From what you're telling me an owner has rights that cannot ... which seems to include the right to change permissions whether we ... >> the grant to Creator Owner becomes a real grant to the creator or the ...
    (microsoft.public.security)
  • Re: Third-party/scipted ACE/ACL listings
    ... Assuming this is not about local file-access, ... The NTFS-permissions wil be 'Creator Owner' - 'Full Control', ... then you just define this in a security template ...
    (microsoft.public.windows.server.scripting)
  • Re: NTFS folder permissions - Creator Owner issue (I think)
    ... You can add that deny but it is something the owner can still ... You can explicitly deny the owner the permission to ... set permissions, heck you may even explicitly deny full, and ... > Can't you simply add a CREATOR OWNER access control which denies delete ...
    (microsoft.public.security)