|
Posted by Roger Abell [MVP] on January 5, 2006, 8:45 am
Please log in for more thread options There is no way to change how current Windows versions
grant ownership to new objects to the creator of them
What you can do however is to change the default settings
for Bypass traverse checking. If an account does not have
this grant of user right, then to access
c:\somefolder\somesubfolder\newfolder-userdefined\file.ext
then the account needs at least folder traverse granted to
them on c:\, on c:\somefolder, on c:\somefolder\somesubfolder
all of which have permissions you do control. So, if you take
explicit control over Bypass traverse checking on the sharing
machine, and do not overgrant NTFS permissions on the
folder structure, then the Owner of something can grant as
they want for permissions on things they create, but if the
grant is to an account you have not allowed into the area then
the grant cannot be used. However, it the grant the owner
makes is to an account you have let use the area, but is a grant
of more than you would like, then the owner has again defeated
you intent.
> thank you for Replay ,
> but i am still asking , is there no way to change that "Windows by
> default" ?
>
> thanx
>
> Steven L Umbach schrieb:
>> Windows by default gives the owner full control as you have seen. What
>> you can do is to change the permissions for owner creator to be less than
>> full control but as the owner the user can still always change
>> permissions. Ultimately you would need to try to hide the security tab
>> from the user [which can be done with Group Policy] which still could
>> allow a user to use command line tools if he know how or remove ownership
>> from that user. In Windows 2003 you can use the Explorer GUI to change
>> ownership and for any NT operating system you can use command like tools
>> like subinacl or fileacl if you are an administrator. --- Steve
>>
>>
>>
>>>Hello,
>>>
>>>Subject : File and Folder permissions for domain users
>>>
>>>Network Directory : \MyServer\MyDirectory\MyProject1
>>> \MyProject2
>>> ...........
>>>
>>>
>>>Question :
>>>
>>>How to give the domain user1 change permissions for folder "\MyProject1"
>>>and user1 use not to be able to take the full permissions for folders
>>>that he create under "\MyProject1"
>>>
>>>with other words:
>>>domain user1 has change permissions for folder "\MyProject1" , with this
>>>permissions he can create a new folder like for example "\MyProject1\New
>>>Folder\" after creating that folder is the user1 automatically the owner
>>>of that new created folder! means: he has all permissions! result -->
>>>user1 can give every one read ,write or full permissions for that folder.
>>>
>>>is there any way to avoid that user1 can be able to give permissions for
>>>folders that he create under "\MyProject1\" directory ?
>>>
>>>
>>>Thank you
>>>
>>>Saleh Matani
>>
>>
| 
XML Sitemap