Permissions problem or just the way it is?

Discussion in 'Server Security' started by harikeo, Apr 28, 2009.

  1. harikeo

    harikeo Guest

    Hi all

    I'm having a problem with permissions on a Windows 2003 server and can't
    for the life of me work out what's happening. I'm not even sure it's
    wrong but all my googling says people with Modify rights shouldn't have
    Change Permissions.

    I have a security group (#DSG_CHA_Info) populated with user accounts.
    The group is given Modify rights to a parent directory and
    sub-directories and sure enough staff can create, edit and delete

    BUT whoever makes a file or directory can then grant themselves Full
    Control and remove Domain Admins or the security group they belong to
    and we don't want this. We don't want staff creating directories and
    then blocking us or others from access.

    When I look at the effective permissions against the parent or any child
    object, the #DSG_CHA_Info security group (or any of the user accounts
    held within the group) don't have the Change Permissions permission so
    where are they getting the permission from?

    The permissions listed on the parent and child objects are:

    Domain Admins - Full Control
    #1st Line - Read
    #2nd Line - Full Control
    #DSG_CHA_Info - Modify

    Is the only way to stop users from being able to changer permissions to
    explicitly grant Deny against Change Permissions on the parent directory?

    I hope this makes sense <g> and thanks for any help or pointers.
    harikeo, Apr 28, 2009
    1. Advertisements

  2. harikeo

    Marcin Guest

    This behavior results from the fact that users creating subfolders become
    their owners - and as such, have ability to modify their permissions.
    Incidentally, this has been changed in Vista/Windows Server 2008 (where you
    can specify the ACE of the owner) - but obviously this is not much of a
    consolation in your case. Note that, as an Administrator, you can always
    take ownership of any folder/file - regardless of its permissions...

    Marcin, Apr 28, 2009
    1. Advertisements

  3. harikeo

    harikeo Guest

    Thanks Marcin

    I've just found a GPO setting we can use to hide the tab, or a reg entry
    we can create on the clients.

    harikeo, Apr 29, 2009
  4. harikeo

    FlyDye Guest

    If it is a share you could change the share permissions to the maximum you
    want to grant. For example set Domain Users to CHANGE and Domain
    Administrators or Local Administrators to FULL. That should keep them from
    changing permissions as long as they're not administrators.
    FlyDye, May 7, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.