Target: Restrict creator / owner from altering any NTFS permission on newly created files & folders.
Scenarios: Regardless of NTFS permissions, the owner, which is by default the person who creates the folder/files, can always alter the permissions. This actually causing a lot’s of problem, with this special privilege users can also block inherited permission and alter current permission. This might cause additional pain for administrators.
Solution:
Initially to test this,
I have created one test folder \SHAREtestvolROOT without any inheritance and gave the Modify permission to XYZ group so that users can create folder. Additionally I gave Full access to Administrators group and READ, EXECUTE, LIST FOLDER permission to OWNER RIGHTS group on that folder with “Replace all Child object Permissions
” settings.
To evaluate the permission on \SHAREtestvolROOT, I asked users to create few folders, where they became owner by default.
Then, I asked them to modify the permission on that folders, but they are getting access denied error, as we applied OWNER RIGHTS to prevent this.
So, with the current security settings using OWNER RIGHTS, now:
- Owner can create files & folders.
- Owner can modify files & folders.
- Owner can delete files & folder.
- Owner cannot modify any type of permission.
- Owner cannot block permission inheritance.
Ref: Owner Rights – http://technet.microsoft.com/en-us/library/dd125370%28v=ws.10%29.aspx
Disclaimer: All posts and opinions on this site are provided AS IS with no warranties. These are our own personal opinions and do not represent our employer’s view in any way.
This article currently have 15,280 views
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
Really helpful article, very few knows about this granular permission
Great !!!!!
Really useful command and tested in production environment …it worked .
Finally… Thank you dude, it was really helpful !nn1