Target: Restrict creator / owner from altering any NTFS permission on newly created files & folders.
Scenarios: Regardless of NTFS permissions, the owner, which is by default the person who creates the folder/files, can always alter the permissions. This actually causing a lot’s of problem, with this special privilege users can also block inherited permission and alter current permission. This might cause additional pain for administrators.
Solution:
Initially to test this,
I have created one test folder \SHAREtestvolROOT without any inheritance and gave the Modify permission to XYZ group so that users can create folder. Additionally I gave Full access to Administrators group and READ, EXECUTE, LIST FOLDER permission to OWNER RIGHTS group on that folder with “Replace all Child object Permissions
” settings.
To evaluate the permission on \SHAREtestvolROOT, I asked users to create few folders, where they became owner by default.
Then, I asked them to modify the permission on that folders, but they are getting access denied error, as we applied OWNER RIGHTS to prevent this.
So, with the current security settings using OWNER RIGHTS, now:
- Owner can create files & folders.
- Owner can modify files & folders.
- Owner can delete files & folder.
- Owner cannot modify any type of permission.
- Owner cannot block permission inheritance.
Ref: Owner Rights – http://technet.microsoft.com/en-us/library/dd125370%28v=ws.10%29.aspx
Licensed under CC BY-ND 4.0 International
Ditching PsExec – Running Interactive SYSTEM Shells Natively in PowerShell
If you’ve spent any time in Windows System Administration over the last…
Microsoft Teams’ Efficiency Mode Arrives for Low‑End Devices
Microsoft is rolling out an Efficiency Mode for Microsoft Teams designed to…
How Attackers Abuse Microsoft Teams and Quick Assist: Inside the Helpdesk Impersonation Playbook
A new wave of attacks is quietly abusing everyday collaboration tools to…
New RDP Alert After April 2026 Security Update Warns of Unknown Connections
Microsoft’s April 2026 Patch Tuesday introduced a small-looking but important change to…
Really helpful article, very few knows about this granular permission
Great !!!!!
Really useful command and tested in production environment …it worked .
Finally… Thank you dude, it was really helpful !nn1