Everyone take ownership

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,
we have a network share. I change its permissions so only GROUPA and
GROUPB have Full Control, no other entries. However, someone who is not
in GROUPA or GROUPB can claim Ownership of the folder. He does not have
read access or anything like I want it, but taking ownership nulls and
voids everything.

What is causing this? Windows Default for everyone is "Take Ownership"??

Regards,
Antti H
9 answers Last reply
More about everyone ownership
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    AnttiH wrote:
    > Hi,
    > we have a network share. I change its permissions so only GROUPA and
    > GROUPB have Full Control, no other entries. However, someone who is not
    > in GROUPA or GROUPB can claim Ownership of the folder. He does not have
    > read access or anything like I want it, but taking ownership nulls and
    > voids everything.
    >
    > What is causing this? Windows Default for everyone is "Take Ownership"??
    >
    > Regards,
    > Antti H
    Looks like the permission is inherited from the parent folder. Very odd.

    Is it not possible to define a folder on a drive that only certain
    people can access, no matter who owns the parent?

    Antti H
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    In your initial posting you spoke of share permissions, which
    are found with the Permission button on the Sharing tab in the
    properties of a folder. It is now apparent that you are speaking
    of the NTFS permissions of the folder.

    Yes, defining a folder to have just a specific, intended set
    of NTFS permissions is possible. Uncheck the box in the
    NTFS Security dialog that indicates the folder is allowed
    to inherit from its parent folder. Also, use the Advanced
    tab to see whether there are any grants or denies that are
    special and being masked from view in the generic permission
    view of the settings.

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "AnttiH" <gumfire@despammed.com> wrote in message
    news:oOare.48$Ak.30@read3.inet.fi...
    > AnttiH wrote:
    > > Hi,
    > > we have a network share. I change its permissions so only GROUPA and
    > > GROUPB have Full Control, no other entries. However, someone who is not
    > > in GROUPA or GROUPB can claim Ownership of the folder. He does not have
    > > read access or anything like I want it, but taking ownership nulls and
    > > voids everything.
    > >
    > > What is causing this? Windows Default for everyone is "Take Ownership"??
    > >
    > > Regards,
    > > Antti H
    > Looks like the permission is inherited from the parent folder. Very odd.
    >
    > Is it not possible to define a folder on a drive that only certain
    > people can access, no matter who owns the parent?
    >
    > Antti H
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    In a machine's default, as installed, condition any member of
    the Administrators group can take ownership of anything in
    the NTFS filesystem.
    If the accounts taking ownership are not logging into the
    machine that is source of the share as admins, then the info
    in the other posting I have just made applies.

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "AnttiH" <gumfire@despammed.com> wrote in message
    news:oOare.48$Ak.30@read3.inet.fi...
    > AnttiH wrote:
    > > Hi,
    > > we have a network share. I change its permissions so only GROUPA and
    > > GROUPB have Full Control, no other entries. However, someone who is not
    > > in GROUPA or GROUPB can claim Ownership of the folder. He does not have
    > > read access or anything like I want it, but taking ownership nulls and
    > > voids everything.
    > >
    > > What is causing this? Windows Default for everyone is "Take Ownership"??
    > >
    > > Regards,
    > > Antti H
    > Looks like the permission is inherited from the parent folder. Very odd.
    >
    > Is it not possible to define a folder on a drive that only certain
    > people can access, no matter who owns the parent?
    >
    > Antti H
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger Abell wrote:
    > In your initial posting you spoke of share permissions, which
    > are found with the Permission button on the Sharing tab in the
    > properties of a folder. It is now apparent that you are speaking
    > of the NTFS permissions of the folder.
    >
    > Yes, defining a folder to have just a specific, intended set
    > of NTFS permissions is possible. Uncheck the box in the
    > NTFS Security dialog that indicates the folder is allowed
    > to inherit from its parent folder. Also, use the Advanced
    > tab to see whether there are any grants or denies that are
    > special and being masked from view in the generic permission
    > view of the settings.
    >

    Thanks for your response.
    The folder in question is shared over network, but apparently NTFS
    permissions are affecting it. It is shared from W2000 Server. I have no
    further detail of this, I can click properties for the folder then
    security tab and there.

    There are no Advanced permissions besides the ones that I have set in
    the "generic" permissions page.
    What does the last "Effective Permissions" mean? When I select a group
    from our AD with the select.. button they have NO "Effective
    Permissions", but when I select a certain user, he has all permissions,
    even though he is NOT listed on any of the permissions tabs?

    This person used to be in a group which had permission into the folder,
    can this be cached somehow?

    Cheers,

    AnttiH
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    The share permissions are viewed/set when using an admin
    interface on the machine that is sharing-out (or with a remote
    tool allowing the same).

    After the drive is mapped one sees the NTFS permissions as
    these have been set on the actual storage.

    An account will have access to the extent NTFS permissions
    are granted (and not denied) directly to the account and/or to
    any group in which the account is a member, but when the
    access is over the network the account will have these only
    to the extent that they do not exceed the share level permissons
    granted and not denied to the account. The share level permissions
    will never increase permissions beyond what is within the NTFS
    permissions, they will only allow all the NTFS grants less denies
    or the share level permissions might reduce these.

    The effective permissions tab will show what access would
    be allowed to a principal due to the existing grants and denies
    but, as the description states, this only considers direct group
    memberships - so long chains of group nesting and share level
    permissions imposed on a then current mapping are not taken
    into account.

    If the permissions are inherited from the parent folder, and
    you have access only to the share as a mapped drive then
    there is no real way for you to affect what is being inherited.

    As you have said that only GroupA and GroupB have any
    grants to them, and there are no other grants showing only
    in the Advanced view, then we have something of a mystery.

    Can you open a cmd prompt and issue
    cacls X: > c:\perms.txt
    where X: is the letter to which the share has been mapped
    and c:\perms.txt is any file to which you want the output
    redirected. The content of this file will have all NTFS
    setting in effect on the mapped folder.

    In order to Take ownership and account would need to
    either be in GroupA or GroupB (which have grants of Full)
    based on what you have said, that there are no other grants.
    Posting here the results stored into that c:\perms.txt file
    would help us verify that this is so.

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "AnttiH" <gumfire@despammed.com> wrote in message
    news:xwtre.10$Hp3.8@read3.inet.fi...
    > Roger Abell wrote:
    > > In your initial posting you spoke of share permissions, which
    > > are found with the Permission button on the Sharing tab in the
    > > properties of a folder. It is now apparent that you are speaking
    > > of the NTFS permissions of the folder.
    > >
    > > Yes, defining a folder to have just a specific, intended set
    > > of NTFS permissions is possible. Uncheck the box in the
    > > NTFS Security dialog that indicates the folder is allowed
    > > to inherit from its parent folder. Also, use the Advanced
    > > tab to see whether there are any grants or denies that are
    > > special and being masked from view in the generic permission
    > > view of the settings.
    > >
    >
    > Thanks for your response.
    > The folder in question is shared over network, but apparently NTFS
    > permissions are affecting it. It is shared from W2000 Server. I have no
    > further detail of this, I can click properties for the folder then
    > security tab and there.
    >
    > There are no Advanced permissions besides the ones that I have set in
    > the "generic" permissions page.
    > What does the last "Effective Permissions" mean? When I select a group
    > from our AD with the select.. button they have NO "Effective
    > Permissions", but when I select a certain user, he has all permissions,
    > even though he is NOT listed on any of the permissions tabs?
    >
    > This person used to be in a group which had permission into the folder,
    > can this be cached somehow?
    >
    > Cheers,
    >
    > AnttiH
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    AnttiH wrote:
    > It is shared from W2000 Server. I have no
    > further detail of this, I can click properties for the folder then
    > security tab and there.

    To clarify, the folder is on a mapped drive.

    AnttiH
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger Abell wrote:

    > Can you open a cmd prompt and issue
    > cacls X: > c:\perms.txt
    > where X: is the letter to which the share has been mapped
    > and c:\perms.txt is any file to which you want the output
    > redirected. The content of this file will have all NTFS
    > setting in effect on the mapped folder.
    >
    > In order to Take ownership and account would need to
    > either be in GroupA or GroupB (which have grants of Full)
    > based on what you have said, that there are no other grants.
    > Posting here the results stored into that c:\perms.txt file
    > would help us verify that this is so.
    >

    Hi.


    This is cacls H:\FOLDER, which is the folder we want to make secure.
    H:\FOLDER BUILTIN\Administrators:(OI)(CI)F
    domain\groupA:(OI)(CI)F
    domain\groupB:(OI)(CI)F

    The person who "has permission to take ownership" is NOT in any of these
    groups. Not inherited or anything. The person however has Full Control
    on the H:\ -drive.

    Hope this helps,
    AnttiH
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Looks OK. The person you mention (meaning one of the accounts that
    they can use, that shows up as owner) is not a member of Administrators
    group on the machine where H: is native (shared-from) ?
    You are sure that they are changing an object that pre-existed with
    different settings (as compared to looking at a newly created object) ?
    Finally, you know that they are not in a group that is in any of the
    three named groups? and that they do not have the power to add
    themselves (temporarily) to one?
    Otherwise, from all you have said they should not be able to do
    what you have been reporting.

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "AnttiH" <gumfire@despammed.com> wrote in message
    news:3pAre.172$Hp3.92@read3.inet.fi...
    > Roger Abell wrote:
    >
    > > Can you open a cmd prompt and issue
    > > cacls X: > c:\perms.txt
    > > where X: is the letter to which the share has been mapped
    > > and c:\perms.txt is any file to which you want the output
    > > redirected. The content of this file will have all NTFS
    > > setting in effect on the mapped folder.
    > >
    > > In order to Take ownership and account would need to
    > > either be in GroupA or GroupB (which have grants of Full)
    > > based on what you have said, that there are no other grants.
    > > Posting here the results stored into that c:\perms.txt file
    > > would help us verify that this is so.
    > >
    >
    > Hi.
    >
    >
    > This is cacls H:\FOLDER, which is the folder we want to make secure.
    > H:\FOLDER BUILTIN\Administrators:(OI)(CI)F
    > domain\groupA:(OI)(CI)F
    > domain\groupB:(OI)(CI)F
    >
    > The person who "has permission to take ownership" is NOT in any of these
    > groups. Not inherited or anything. The person however has Full Control
    > on the H:\ -drive.
    >
    > Hope this helps,
    > AnttiH
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    AnttiH,

    Just for completeness, please verify that on the involved machines
    the security policy setting in the User Right section of the Computer
    Security policy section the User Right to Take Ownership of objects
    is still set at the default of only naming Administrators group.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "AnttiH" <gumfire@despammed.com> wrote in message
    news:3pAre.172$Hp3.92@read3.inet.fi...
    > Roger Abell wrote:
    >
    > > Can you open a cmd prompt and issue
    > > cacls X: > c:\perms.txt
    > > where X: is the letter to which the share has been mapped
    > > and c:\perms.txt is any file to which you want the output
    > > redirected. The content of this file will have all NTFS
    > > setting in effect on the mapped folder.
    > >
    > > In order to Take ownership and account would need to
    > > either be in GroupA or GroupB (which have grants of Full)
    > > based on what you have said, that there are no other grants.
    > > Posting here the results stored into that c:\perms.txt file
    > > would help us verify that this is so.
    > >
    >
    > Hi.
    >
    >
    > This is cacls H:\FOLDER, which is the folder we want to make secure.
    > H:\FOLDER BUILTIN\Administrators:(OI)(CI)F
    > domain\groupA:(OI)(CI)F
    > domain\groupB:(OI)(CI)F
    >
    > The person who "has permission to take ownership" is NOT in any of these
    > groups. Not inherited or anything. The person however has Full Control
    > on the H:\ -drive.
    >
    > Hope this helps,
    > AnttiH
Ask a new question

Read More

Microsoft Windows