General discussion

Locked

prevent users from modifying permissions

By rozan ·
I have set users home directories to "Change" permissions (RWXD). But somehow, the users are able to modify the permissions of subdirs they create underneath. I thought that without the P permission, this is NOT possible. It seems that the Change permission I have set is equal to Full.
Anyone has an explanation?
Thanks,

This conversation is currently closed to new comments.

16 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

prevent users from modifying permissions

by itnetman In reply to prevent users from modify ...

Did you leave Creator/Owner in as Full Control? If so remove this user from all permissions. Unsure of any other solution without more details. Hope this helps.

Collapse -

prevent users from modifying permissions

by rozan In reply to prevent users from modify ...

No.
But, there is "Full" permission for Everyone on the share itself which covers the whole disk volume. I'm not sure that this Full permission on the share is the cause.

Collapse -

prevent users from modifying permissions

by Gigelul In reply to prevent users from modify ...

Hi
Full permission for everyone on share is OK .
I set security permission on shared folders like you (RWXD) and also I remove "P" and "O" permissions. With these security permissions the users can create/save/open/delete folders or files but can't change permissions. Any new folder will copy automatically the permission from the parent folder. Maybe you modify the permissions of the parent folder after users create other subfolders. Try for one parent folder to use <replaces permissions on all subfolders and files>.
Now if your share is on a workstation where the user has admin rights you can't force these settings.
About everyone group, this can be a security issue. Recommended is to replace it in your permissions settings with Domain Users.

These permissions settings are OK. Verify again!

Collapse -

prevent users from modifying permissions

by Shanghai Sam In reply to prevent users from modify ...

Thanks for your reply. Indeed, I've tried many times before submitting my call.
The user cannot modify his parent home folder; but for any folder he creates underneath (which theoretically inherits the Change permissions from the home folder) , actually he can even change his own permissions from Change to Full!
I have tried with several NT4 servers (SP5 to SP6a) with same results!

Collapse -

prevent users from modifying permissions

by Gigelul In reply to prevent users from modify ...

OK! Let?s try a dialogue. Post only comments!
You can see in owner tab who changed the permissions. This user is member of a special group?
Give me an example about permissions for a parent folder and a subfolder.

Collapse -

prevent users from modifying permissions

by Gigelul In reply to prevent users from modify ...

About folder U:\User1\test, you are right. User1 can change the permissions because he is the Owner of this folder.
You can:
-create only you the news folders (critical folder-maybe to hard)
-allow only one user per department to manage permissions/create folders
-use periodically <take ownership> to block permissions changes
-instruct users to avoid mistakes

Collapse -

prevent users from modifying permissions

by rozan In reply to prevent users from modify ...

Poster rated this answer

Collapse -

prevent users from modifying permissions

by rozan In reply to prevent users from modify ...

Thanks for trying again!
I've checked all the group's cumulative permissions and inheritance issues.
Here follows the setup:
The shared volume disk is named U:
Permissions on root of U: are:
Everyone: R
Domain Admins: F
System: F

The User1's homedir is named U:\user1
Everyone: R
Domain Admins: F
System: F
(all above inherited from parent)
User1: C (RWXD) (RWXD)
(added at creation of folder)

Now, if I log in as User1, create a subfolder U:\user1\test, it originally inherits the same perms as folder U:\user1
But, as User1, actually I can add permissions to other users, remove others and even upgrade my perms from C to F, or even delete all perms in the list, whereas theoretically I had no P permission there!
You may tryit and you'll see...

Collapse -

prevent users from modifying permissions

by timwalsh In reply to prevent users from modify ...

Take a look at ownership of the directories in question. An owner has full control (and can reset permissions) of a file or directory regardless of other permissions set unless a specific set of permissions are set up for the Creator/Owner user object.

Collapse -

prevent users from modifying permissions

by rozan In reply to prevent users from modify ...

Poster rated this answer

Back to Windows Forum
16 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums