How do I prevent permission changes on files users own?

[Clyde Burns]

Can anyone tell me how to prevent the file/directory owner from changing
NTFS permissions on that file/directory?

Thanks
Clyde Burns

 

[Lanwench [MVP - Exchange]]

Can anyone tell me how to prevent the file/directory owner from
changing NTFS permissions on that file/directory?

Owner? Anyone who has "full control" permissions can change security. Give
users no more than "modify" permissions.

 

[Clyde Burns]

Yes, Im aware of that. But even with just modify permissions the user can
still change permissions on files/directories they create.

Take a look at
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdd_sec_muum.asp

Heres the relevant paragraph from that page.

Every object has an owner, usually the user who created the object. The
owner has an implied right to Allow or Deny other users permission to use
the object. This right cannot be withdrawn. Owners can give other users
permission to Change Permissions (WRITE_DAC). This permission, unlike the
owner's inherent right, can be withdrawn.

The only thing I can think of is a process on the server to give
administrators ownership of the file so that the modify permissions work as
expected.

Clyde

 

[Steven L Umbach]

You [an administrator] have to take ownership away if you do not want the current
owner with less than full control to change permissions. You can do that with command
line utilities such as fileacl if needed. However administrators can always take
ownership. If you can not trust a user then do not allow them to be an administrator
on the computer. --- Steve