Sign-in / Sign-up
Your question

How do I prevent permission changes on files users own?

Tags:
  • Security
  • Microsoft
  • Permissions
  • Windows
Last response: in Windows 2000/NT
Anonymous
a b 8 Security
August 3, 2004 7:06:41 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Can anyone tell me how to prevent the file/directory owner from changing
NTFS permissions on that file/directory?

Thanks
Clyde Burns

More about : prevent permission files users

Anonymous
a b 8 Security
August 3, 2004 7:30:49 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Clyde Burns wrote:
> Can anyone tell me how to prevent the file/directory owner from
> changing NTFS permissions on that file/directory?

Owner? Anyone who has "full control" permissions can change security. Give
users no more than "modify" permissions.
>
> Thanks
> Clyde Burns
Anonymous
a b 8 Security
August 3, 2004 8:36:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes, Im aware of that. But even with just modify permissions the user can
still change permissions on files/directories they create.

Take a look at
http://www.microsoft.com/resources/documentation/Window...

Heres the relevant paragraph from that page.

Every object has an owner, usually the user who created the object. The
owner has an implied right to Allow or Deny other users permission to use
the object. This right cannot be withdrawn. Owners can give other users
permission to Change Permissions (WRITE_DAC). This permission, unlike the
owner's inherent right, can be withdrawn.

The only thing I can think of is a process on the server to give
administrators ownership of the file so that the modify permissions work as
expected.

Clyde

<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:eVW7tUZeEHA.1764@TK2MSFTNGP10.phx.gbl...
> Clyde Burns wrote:
> > Can anyone tell me how to prevent the file/directory owner from
> > changing NTFS permissions on that file/directory?
>
> Owner? Anyone who has "full control" permissions can change security. Give
> users no more than "modify" permissions.
> >
> > Thanks
> > Clyde Burns
>
>
Anonymous
a b 8 Security
August 4, 2004 5:33:10 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You [an administrator] have to take ownership away if you do not want the current
owner with less than full control to change permissions. You can do that with command
line utilities such as fileacl if needed. However administrators can always take
ownership. If you can not trust a user then do not allow them to be an administrator
on the computer. --- Steve


"Clyde Burns" <clydeburns@noemailaddres.com> wrote in message
news:uyFH8lZeEHA.1036@TK2MSFTNGP10.phx.gbl...
> Yes, Im aware of that. But even with just modify permissions the user can
> still change permissions on files/directories they create.
>
> Take a look at
>
http://www.microsoft.com/resources/documentation/Window...
>
> Heres the relevant paragraph from that page.
>
> Every object has an owner, usually the user who created the object. The
> owner has an implied right to Allow or Deny other users permission to use
> the object. This right cannot be withdrawn. Owners can give other users
> permission to Change Permissions (WRITE_DAC). This permission, unlike the
> owner's inherent right, can be withdrawn.
>
> The only thing I can think of is a process on the server to give
> administrators ownership of the file so that the modify permissions work as
> expected.
>
> Clyde
>
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
> news:eVW7tUZeEHA.1764@TK2MSFTNGP10.phx.gbl...
> > Clyde Burns wrote:
> > > Can anyone tell me how to prevent the file/directory owner from
> > > changing NTFS permissions on that file/directory?
> >
> > Owner? Anyone who has "full control" permissions can change security. Give
> > users no more than "modify" permissions.
> > >
> > > Thanks
> > > Clyde Burns
> >
> >
>
>