Restrict Creator/Owner from altering NTFS permission

Admin Tools, Group Policy, Microsoft 3 comments

Target: Restrict creator / owner from altering any NTFS permission on newly created files & folders.

Scenarios: Regardless of NTFS permissions, the owner, which is by default the person who creates the folder/files, can always alter the permissions. This actually causing a lot’s of problem, with this special privilege users can also block inherited permission and alter current permission. This might cause additional pain for administrators.


Solution:
Initially to test this,
I have created one test folder \SHAREtestvolROOT without any inheritance and gave the Modify permission to XYZ group so that users can create folder. Additionally I gave Full access to Administrators group and READ, EXECUTE, LIST FOLDER permission to OWNER RIGHTS group on that folder with “Replace all Child object Permissions…” settings.

per1

To evaluate the permission on \SHAREtestvolROOT, I asked users to create few folders, where they became owner by default.


Then, I asked them to modify the permission on that folders, but they are getting access denied error, as we applied OWNER RIGHTS to prevent this.

per2

 

So, with the current security settings using OWNER RIGHTS, now:

  • Owner can create files & folders.
  • Owner can modify files & folders.
  • Owner can delete files & folder.
  • Owner cannot modify any type of permission.
  • Owner cannot block permission inheritance.

 

Ref: Owner Rights – http://technet.microsoft.com/en-us/library/dd125370%28v=ws.10%29.aspx

CC License Licensed under CC BY-ND 4.0 International
You Might Also Like
When an Upgrade Breaks the Network: Windows 11 23H2→25H2 and the 802.1X Policy Wipe

When an Upgrade Breaks the Network: Windows 11 23H2→25H2 and the 802.1X Policy Wipe

A quietly persistent bug in in-place Windows upgrades has resurfaced across recent…

Mar 4, 2026 · 5 min read High Match
Understanding GPO Inheritance and Blocking: Troubleshooting in Windows Domain Environments

Understanding GPO Inheritance and Blocking: Troubleshooting in Windows Domain Environments

Group Policy Objects (GPOs) are the backbone of centralized management in Windows…

Jan 20, 2026 · 4 min read Related
Add new Admin Account to AWS Windows Instances to rescue the system

Add new Admin Account to AWS Windows Instances to rescue the system

As mentioned earlier, we could reset the local admin password of windows…

Nov 1, 2017 · 2 min read Related
Cleanup disabled users from AD Group/s

Cleanup disabled users from AD Group/s

Cleanup disabled accounts from groups is one of the most boring job,…

Jan 3, 2017 · 2 min read Related
« Previous
Next »

3 comments

Leave a Reply

Your email address will not be published. Required fields are marked *