This behavior results from the fact that users creating subfolders become
their owners - and as such, have ability to modify their permissions.
Incidentally, this has been changed in Vista/Windows Server 2008 (where you
can specify the ACE of the owner) - but obviously this is not much of a
consolation in your case. Note that, as an Administrator, you can always
take ownership of any folder/file - regardless of its permissions...
hth
Marcin
"harikeo" <> wrote in message
news:gt7kfe$1mq$...
> Hi all
>
> I'm having a problem with permissions on a Windows 2003 server and can't
> for the life of me work out what's happening. I'm not even sure it's wrong
> but all my googling says people with Modify rights shouldn't have Change
> Permissions.
>
> I have a security group (#DSG_CHA_Info) populated with user accounts. The
> group is given Modify rights to a parent directory and sub-directories and
> sure enough staff can create, edit and delete files/folders.
>
> BUT whoever makes a file or directory can then grant themselves Full
> Control and remove Domain Admins or the security group they belong to and
> we don't want this. We don't want staff creating directories and then
> blocking us or others from access.
>
> When I look at the effective permissions against the parent or any child
> object, the #DSG_CHA_Info security group (or any of the user accounts held
> within the group) don't have the Change Permissions permission so where
> are they getting the permission from?
>
> The permissions listed on the parent and child objects are:
>
> Domain Admins - Full Control
> #1st Line - Read
> #2nd Line - Full Control
> #DSG_CHA_Info - Modify
>
> Is the only way to stop users from being able to changer permissions to
> explicitly grant Deny against Change Permissions on the parent directory?
>
> I hope this makes sense <g> and thanks for any help or pointers.
|
Similar Threads
Linear Mode
