General discussion

Locked

Folder Security

By Bra-k ·
Running NT 4 Server SP6a, when setting up security permissions on a folder when a user creates the folder, is there a way to easily set the domain admin group to be a member with full control by default? Also if this is possible can we set it to where the creator/owner can not delete that group or change rights on that group while still being able to manage the folder rights.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Folder Security

by Ewing Bettles In reply to Folder Security

In NT 4, when a folder is created it inherits the security of its parent folder by default, so if you make sure that the parent folder where you are allowing users to create folders has Domain Admins listed with Full Control for security permissions, each created sub-folder should also have it as well.

Locking security against the Creator/Owner is a little tougher. I haven't directly tested this, but it should work: Don't assign Full Control in the parent folder to the domain users allowedto create subfolders, instead assign Change (RWXD)(RWXD) permissions, and create an explicit entry in the parent folder for Creator/Owner and assign this Change permissions as well. This way, subfolders created would inherit these settings by default.

I beleive the key is to NOT assign Full Control permissions to ANY directory except as minimally required for operation and maintenance (System and Administrators' accounts). Use Change permissions, when possible, in place of Full Control.Hope this helps, -Ewing

Collapse -

Folder Security

by Bra-k In reply to Folder Security

Poster rated this answer

Collapse -

Folder Security

by dlw6 In reply to Folder Security

I concur with Ewing's answer, but I have a point or two to add:

The Domain Admins (global group) should be a members of the Administrators (local group). If the PC is a domain member, this should happen automatically.

If you want to fix a folder that already exists, do so as an Administrator. Any member of the Administrators (local group) has the right to Take Ownership of a folder or file, and they can then assign the permissions.

Remember that the No Access tag overrides all other permissions, so it is possible for the user (or Administrator) to lock out the Administrators group. That alone is reason to do what you're trying to do.

Good fortune,
Don

Collapse -

Folder Security

by Bra-k In reply to Folder Security

Poster rated this answer

Collapse -

Folder Security

by Bra-k In reply to Folder Security

This question was closed by the author

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums