Re: NTFS folder permissions - Creator Owner issue (I think)
- From: "Paul Baker" <paulb@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 13:22:51 -0500
Forgive me, but I am going to have to ask you to take a step back here.
Which access controls do you have on the folder in which people are creating
these files and folders and give an example of a situation in which someone
is given permissions that you do not intend them to have.
Paul
"F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C7ED4834-1C38-4056-A2F4-DB5722435131@xxxxxxxxxxxxxxxx
> Yes, I figured out that if I took the creator owner placeholder out of the
> list then I woudlnt have this problme from reading other peoples posts.
> However, I am using the creator owner placeholder to ensure that staff can
> only delete their own files and folders and not other peoples.
>
> Users get Read & Execute, List Folder Contents, Read and Write, and the
> Creator-Owner gets Modify.
>
> Maybe there's another way of getting the same result?
>
> Regards,
>
> Fiona
>
> "Paul Baker" wrote:
>
>> Are you aware that you can prevent permissions being given to the Creator
>> Owner when they create a folder simply by removing the CREATOR OWNER
>> access
>> control. It's default, not hardcoded, behaviour.
>>
>> Paul
>>
>> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:66363F0F-1388-4A12-89DB-97761A246275@xxxxxxxxxxxxxxxx
>> > Roger,
>> >
>> > Sorry, I was confusing the issue by calling it a group - I do realise
>> > its
>> > a
>> > placeholder. From what you're telling me an owner has rights that
>> > cannot
>> > be
>> > overridden. As we are allowing staff to create subfolders (they then
>> > become
>> > the owner), we will not be able to prevent them having the rights of an
>> > owner, which seems to include the right to change permissions whether
>> > we
>> > want
>> > them to have that right or not.
>> >
>> > Anyway, thanks for all your patience and help.
>> >
>> > Regards,
>> >
>> > Fiona
>> >
>> >
>> > "Roger Abell [MVP]" wrote:
>> >
>> >>
>> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:266F5017-7818-439A-A60A-7D9B3498BBE3@xxxxxxxxxxxxxxxx
>> >> > Roger,
>> >> >
>> >> > Thank you very much for your help.
>> >> >
>> >> > You're saying that this group can change permissions even when not
>> >> > expressly
>> >> > granted the permission to change permissions or denied it, but I
>> >> > have
>> >> > never
>> >>
>> >> No, that is not what I said.
>> >> I said that the owner of an object can change the object's permission
>> >> whether the owner is (directly or indirectly) granted that permissions
>> >> or
>> >> even whether explicitly denied that permissions.
>> >> I did not state this about the Creator Owner "group" but about the
>> >> Owner.
>> >>
>> >> > read this anywhere, and can't seem to find any documentation on it
>> >> > on
>> >> > the
>> >> > net. (I do believe you as I have seen the results!) I'd like to
>> >> > read
>> >> > up
>> >> > on
>> >> > the rights that this group has that I am not aware of.
>> >> >
>> >>
>> >> It is not really a group, although it appears like one.
>> >> Creator Owner is a placeholder. You will find its use is normally set
>> >> to inherit onto contained/child objects. When a new object is created
>> >> the grant to Creator Owner becomes a real grant to the creator or the
>> >> permissions stated with the Creator Owner grant on the container.
>> >> The account that creates the object does become owner, and does
>> >> have the rights of an owner, not matter what is or is not granted with
>> >> the use of Creator Owner.
>> >>
>> >> > We would really like to prevent users changing the permissions on
>> >> > folders
>> >> > because they tend to lock themselves and IT support out of them. Do
>> >> > you
>> >> > know
>> >> > of any method of doing this?
>> >> >
>> >>
>> >> You must take away ownership and then the NTFS security permissions
>> >> will control their actions. While they own (as they do of anything
>> >> they
>> >> create)
>> >> you can only hinder, not prevent.
>> >>
>> >>
>> >> > "Roger Abell [MVP]" wrote:
>> >> >
>> >> >>
>> >> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:77E028E8-8366-4069-A32A-F71710489B04@xxxxxxxxxxxxxxxx
>> >> >> > Hi all,
>> >> >> >
>> >> >> > I need to set up the permissions on a folder so that:
>> >> >> >
>> >> >> > For users in Group 1:
>> >> >> > Anyone can create a file or subfolder.
>> >> >> > Anyone can edit any file.
>> >> >> > Anyone can copy and paste any file or subfolder.
>> >> >> > Only the owner can, delete, rename or move a file or folder
>> >> >> > Anyone can view permissions
>> >> >> > Noone can change permissions or take ownership
>> >> >> >
>> >> >>
>> >> >> I doubt that that combination can be attained.
>> >> >> The issue is in that some files are changed by use of a temp
>> >> >> file that is renamed with the original deleted.
>> >> >>
>> >> >> > For users in Group 2:
>> >> >> > They can create, edit, copy and paste, delete, rename or move
>> >> >> > any
>> >> >> > file
>> >> >> > or folder, and view permissions.
>> >> >> > They can not changer permissions or take ownership
>> >> >> >
>> >> >> > For Group 1, I ticked R&E, List, R and W in basic settings, and
>> >> >> > then
>> >> >> > added
>> >> >> > a
>> >> >> > Creator Owner group to which I gave modify rights. This got me
>> >> >> > pretty
>> >> >> > close
>> >> >> > to what I need, except:
>> >> >> >
>> >> >> > (1) when trying to move a file or folder, an error message
>> >> >> > appears
>> >> >> > as
>> >> >> > expected for the file, but the folder error message says
>> >> >> > '...cannot
>> >> >> > copy...'
>> >> >> > and then copies just the folder. I suppose it doesn't actually
>> >> >> > move
>> >> >> > it
>> >> >> > but
>> >> >> > this will be confusing for the users
>> >> >> >
>> >> >> > (2) test user can change the permissions on own folders,
>> >> >> > definitely
>> >> >> > what I
>> >> >> > don't want. (On checking the advanced permissions it explicitly
>> >> >> > shows
>> >> >> > that
>> >> >> > change permissions is NOT ticked)
>> >> >>
>> >> >> The owner can always change permissions even when they are not
>> >> >> granted the permission to change permissions or denied it. Think
>> >> >> of
>> >> >> the permission to change permissions as something only important
>> >> >> for non-owners.
>> >> >>
>> >> >> >
>> >> >> > For permission set 2 I was thinking of giving Modify permissions
>> >> >> > but,
>> >> >> > again,
>> >> >> > this allows users to change permissions on their own folders.
>> >> >> >
>> >> >>
>> >> >> It is not the Modify grant that allows this but being owner that
>> >> >> does.
>> >> >>
>> >> >> > I wonder if there is a simple explanation?
>> >> >> >
>> >> >> > Regards
>> >> >> >
>> >> >> > Fiona Laufs
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
.
- Follow-Ups:
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Roger Abell [MVP]
- Re: NTFS folder permissions - Creator Owner issue (I think)
- References:
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Roger Abell [MVP]
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: F Laufs
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Roger Abell [MVP]
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: F Laufs
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Paul Baker
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: F Laufs
- Re: NTFS folder permissions - Creator Owner issue (I think)
- Prev by Date: Re: NTFS folder permissions - Creator Owner issue (I think)
- Next by Date: Re: accessing a website
- Previous by thread: Re: NTFS folder permissions - Creator Owner issue (I think)
- Next by thread: Re: NTFS folder permissions - Creator Owner issue (I think)
- Index(es):
Relevant Pages
|
