Re: NTFS folder permissions - Creator Owner issue (I think)
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 25 Jan 2006 23:04:40 -0700
Your other follow-up posts are noted.
I make a couple comments inlined . . .
"Paul Baker" <paulb@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eC7ttkbIGHA.740@xxxxxxxxxxxxxxxxxxxxxxx
> Roger,
>
> I think I see what you mean.
>
> I created a file in a folder that had no CREATOR OWNER access control, no
> access controls were added for me or my group. I then removed all access
> controls and added a Deny access control that denied everything to
> everyone :) I, as the owner, still had Read Permissions and Change
> Permissions effective permissions (though not Take Ownership).
>
but you were already owner
> That seems like a bit of a problem. So, the owner has implicit permissions
> regardless of the DACL.
>
exactly and exactly
> Is there anything in the SACL that influences this? Is there any way to
> influence who is the initial owner when an object is created?
>
no and no
The only ways are by altering how (and under the covers who) new
objects are created, or to hook the create process and adjust the
ownership after the create event.
Neither are provided for with built-in or MS supplied supplimental
tools/utilities in any current version of the OS.
I have submitted the in cases problematic nature of this behavior
as background for a change request for every OS version beginning
with W2k, and am only hopeful for then next (as past experience is
not encouraging, although more seem to be listening)
> Paul
>
> "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
> news:%23nQYjsWIGHA.1088@xxxxxxxxxxxxxxxxxxxxxxx
>> His issue is that he can set the permissions exactly as he
>> wants them (it really doesn't matter what they are) and the
>> account that has added something (hence becoming its
>> owner) can alter the permissions from the intended and
>> there is no way the admin can prevent this (except by taking
>> away ownership).
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Server : Security)
>> MCDBA, MCSE W2k3+W2k+Nt4
>> "Paul Baker" <paulb@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:uEMUANRIGHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
>>> Forgive me, but I am going to have to ask you to take a step back here.
>>>
>>> Which access controls do you have on the folder in which people are
>>> creating these files and folders and give an example of a situation in
>>> which someone is given permissions that you do not intend them to have.
>>>
>>> Paul
>>>
>>> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:C7ED4834-1C38-4056-A2F4-DB5722435131@xxxxxxxxxxxxxxxx
>>>> Yes, I figured out that if I took the creator owner placeholder out of
>>>> the
>>>> list then I woudlnt have this problme from reading other peoples posts.
>>>> However, I am using the creator owner placeholder to ensure that staff
>>>> can
>>>> only delete their own files and folders and not other peoples.
>>>>
>>>> Users get Read & Execute, List Folder Contents, Read and Write, and the
>>>> Creator-Owner gets Modify.
>>>>
>>>> Maybe there's another way of getting the same result?
>>>>
>>>> Regards,
>>>>
>>>> Fiona
>>>>
>>>> "Paul Baker" wrote:
>>>>
>>>>> Are you aware that you can prevent permissions being given to the
>>>>> Creator
>>>>> Owner when they create a folder simply by removing the CREATOR OWNER
>>>>> access
>>>>> control. It's default, not hardcoded, behaviour.
>>>>>
>>>>> Paul
>>>>>
>>>>> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>> news:66363F0F-1388-4A12-89DB-97761A246275@xxxxxxxxxxxxxxxx
>>>>> > Roger,
>>>>> >
>>>>> > Sorry, I was confusing the issue by calling it a group - I do
>>>>> > realise its
>>>>> > a
>>>>> > placeholder. From what you're telling me an owner has rights that
>>>>> > cannot
>>>>> > be
>>>>> > overridden. As we are allowing staff to create subfolders (they then
>>>>> > become
>>>>> > the owner), we will not be able to prevent them having the rights of
>>>>> > an
>>>>> > owner, which seems to include the right to change permissions
>>>>> > whether we
>>>>> > want
>>>>> > them to have that right or not.
>>>>> >
>>>>> > Anyway, thanks for all your patience and help.
>>>>> >
>>>>> > Regards,
>>>>> >
>>>>> > Fiona
>>>>> >
>>>>> >
>>>>> > "Roger Abell [MVP]" wrote:
>>>>> >
>>>>> >>
>>>>> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>> >> news:266F5017-7818-439A-A60A-7D9B3498BBE3@xxxxxxxxxxxxxxxx
>>>>> >> > Roger,
>>>>> >> >
>>>>> >> > Thank you very much for your help.
>>>>> >> >
>>>>> >> > You're saying that this group can change permissions even when
>>>>> >> > not
>>>>> >> > expressly
>>>>> >> > granted the permission to change permissions or denied it, but I
>>>>> >> > have
>>>>> >> > never
>>>>> >>
>>>>> >> No, that is not what I said.
>>>>> >> I said that the owner of an object can change the object's
>>>>> >> permission
>>>>> >> whether the owner is (directly or indirectly) granted that
>>>>> >> permissions or
>>>>> >> even whether explicitly denied that permissions.
>>>>> >> I did not state this about the Creator Owner "group" but about the
>>>>> >> Owner.
>>>>> >>
>>>>> >> > read this anywhere, and can't seem to find any documentation on
>>>>> >> > it on
>>>>> >> > the
>>>>> >> > net. (I do believe you as I have seen the results!) I'd like to
>>>>> >> > read
>>>>> >> > up
>>>>> >> > on
>>>>> >> > the rights that this group has that I am not aware of.
>>>>> >> >
>>>>> >>
>>>>> >> It is not really a group, although it appears like one.
>>>>> >> Creator Owner is a placeholder. You will find its use is normally
>>>>> >> set
>>>>> >> to inherit onto contained/child objects. When a new object is
>>>>> >> created
>>>>> >> the grant to Creator Owner becomes a real grant to the creator or
>>>>> >> the
>>>>> >> permissions stated with the Creator Owner grant on the container.
>>>>> >> The account that creates the object does become owner, and does
>>>>> >> have the rights of an owner, not matter what is or is not granted
>>>>> >> with
>>>>> >> the use of Creator Owner.
>>>>> >>
>>>>> >> > We would really like to prevent users changing the permissions on
>>>>> >> > folders
>>>>> >> > because they tend to lock themselves and IT support out of them.
>>>>> >> > Do
>>>>> >> > you
>>>>> >> > know
>>>>> >> > of any method of doing this?
>>>>> >> >
>>>>> >>
>>>>> >> You must take away ownership and then the NTFS security permissions
>>>>> >> will control their actions. While they own (as they do of anything
>>>>> >> they
>>>>> >> create)
>>>>> >> you can only hinder, not prevent.
>>>>> >>
>>>>> >>
>>>>> >> > "Roger Abell [MVP]" wrote:
>>>>> >> >
>>>>> >> >>
>>>>> >> >> "F Laufs" <FLaufs@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>> >> >> news:77E028E8-8366-4069-A32A-F71710489B04@xxxxxxxxxxxxxxxx
>>>>> >> >> > Hi all,
>>>>> >> >> >
>>>>> >> >> > I need to set up the permissions on a folder so that:
>>>>> >> >> >
>>>>> >> >> > For users in Group 1:
>>>>> >> >> > Anyone can create a file or subfolder.
>>>>> >> >> > Anyone can edit any file.
>>>>> >> >> > Anyone can copy and paste any file or subfolder.
>>>>> >> >> > Only the owner can, delete, rename or move a file or folder
>>>>> >> >> > Anyone can view permissions
>>>>> >> >> > Noone can change permissions or take ownership
>>>>> >> >> >
>>>>> >> >>
>>>>> >> >> I doubt that that combination can be attained.
>>>>> >> >> The issue is in that some files are changed by use of a temp
>>>>> >> >> file that is renamed with the original deleted.
>>>>> >> >>
>>>>> >> >> > For users in Group 2:
>>>>> >> >> > They can create, edit, copy and paste, delete, rename or move
>>>>> >> >> > any
>>>>> >> >> > file
>>>>> >> >> > or folder, and view permissions.
>>>>> >> >> > They can not changer permissions or take ownership
>>>>> >> >> >
>>>>> >> >> > For Group 1, I ticked R&E, List, R and W in basic settings,
>>>>> >> >> > and then
>>>>> >> >> > added
>>>>> >> >> > a
>>>>> >> >> > Creator Owner group to which I gave modify rights. This got
>>>>> >> >> > me
>>>>> >> >> > pretty
>>>>> >> >> > close
>>>>> >> >> > to what I need, except:
>>>>> >> >> >
>>>>> >> >> > (1) when trying to move a file or folder, an error message
>>>>> >> >> > appears
>>>>> >> >> > as
>>>>> >> >> > expected for the file, but the folder error message says
>>>>> >> >> > '...cannot
>>>>> >> >> > copy...'
>>>>> >> >> > and then copies just the folder. I suppose it doesn't
>>>>> >> >> > actually move
>>>>> >> >> > it
>>>>> >> >> > but
>>>>> >> >> > this will be confusing for the users
>>>>> >> >> >
>>>>> >> >> > (2) test user can change the permissions on own folders,
>>>>> >> >> > definitely
>>>>> >> >> > what I
>>>>> >> >> > don't want. (On checking the advanced permissions it
>>>>> >> >> > explicitly
>>>>> >> >> > shows
>>>>> >> >> > that
>>>>> >> >> > change permissions is NOT ticked)
>>>>> >> >>
>>>>> >> >> The owner can always change permissions even when they are not
>>>>> >> >> granted the permission to change permissions or denied it.
>>>>> >> >> Think of
>>>>> >> >> the permission to change permissions as something only important
>>>>> >> >> for non-owners.
>>>>> >> >>
>>>>> >> >> >
>>>>> >> >> > For permission set 2 I was thinking of giving Modify
>>>>> >> >> > permissions
>>>>> >> >> > but,
>>>>> >> >> > again,
>>>>> >> >> > this allows users to change permissions on their own folders.
>>>>> >> >> >
>>>>> >> >>
>>>>> >> >> It is not the Modify grant that allows this but being owner that
>>>>> >> >> does.
>>>>> >> >>
>>>>> >> >> > I wonder if there is a simple explanation?
>>>>> >> >> >
>>>>> >> >> > Regards
>>>>> >> >> >
>>>>> >> >> > Fiona Laufs
>>>>> >> >> >
>>>>> >> >>
>>>>> >> >>
>>>>> >> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>
>>
>
>
.
- Follow-Ups:
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Paul Baker
- Re: NTFS folder permissions - Creator Owner issue (I think)
- References:
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Roger Abell [MVP]
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: F Laufs
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Roger Abell [MVP]
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: F Laufs
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Paul Baker
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: F Laufs
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Paul Baker
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Roger Abell [MVP]
- Re: NTFS folder permissions - Creator Owner issue (I think)
- From: Paul Baker
- Re: NTFS folder permissions - Creator Owner issue (I think)
- Prev by Date: Re: Logon Type 2 during non business hours
- Next by Date: Re: .NET Windows Forms Control hosted in web page
- Previous by thread: Re: NTFS folder permissions - Creator Owner issue (I think)
- Next by thread: Re: NTFS folder permissions - Creator Owner issue (I think)
- Index(es):
Relevant Pages
|
