How to stop a user from becoming the owner of a file?

[Hank Arnold]

We have a network drive that all users have access to. I've found that on
occasion files being created by users are "owned" by that user. When I try
to open the security settings for the file (as Administrator), I'm told that
I can only "view" the settings. I can take ownership at that point, but I
need to understand why this is happening. I want *any* file created in a
folder to inherit the properties of the folder. That includes ownership.

How do I prevent a user from taking ownership??

 

[Arild Bakken]

By default, files created inherit the ACEs that are set for inheritance on
the folder where the file is created. But, if the user creates the file on a
local drive and the _moves_ the file to the file server, the permissions on
the local file is also _moved_ to the file server. If the user copies the
file, the security is set as if the file was created on the network drive. I
guess this is what you are seing. I don't have any solution for you though.
The problem you have though is not related to the user being the owner, but
the actual ACEs on the file.


Arild

 

[Joe Richards [MVP]]

The owner of the file by default is whomever created it. You can not tell the
system to make someone else the owner of every file created, you would need to
go through and reset ownership occasionally. Also it doesn't inherit ownership
from the folder. Ever.

 

[Guest]

The easiest way to avoid the problem you're running into (you as admin cannot
access the files) would be to ensure users cannot change privilages on them.
Giving them "modify" privilages to the root directory(s) on the share rather
than "full control" would be an easy way to do this.

Typically what I do for file server is to give users read only privilages to
the root of the share; than create the top-level directories and only give
them modify privilages to the appropreate directories. Admins and System
should have full control starting at the root.

Regards,
Erik

 

[Herb Martin]

It looks like you question was already answered but perhaps
only partially in three separate responses....

We have a network drive that all users have access to. I've found that on
occasion files being created by users are "owned" by that user.

Files created by a user will ALWAYS be owned by that user.

The Creator IS the Owner by definition and design.

When I try to open the security settings for the file (as Administrator),
I'm told that I can only "view" the settings.

The parent directory (where they create these files) needs to be
marked to ALSO allow Administrator Full Control (or whatever
is appropriate.)

In General parent directories should almost always have AT LEAST
these settings:

Creator Owner -- Full Control
Administrators -- Full Control

This is not an absolute rule but pretty much the standard unless you
have a reason to do otherwise.

I can take ownership at that point, but I need to understand why this is
happening.

By design.

I want *any* file created in a folder to inherit the properties of the
folder.

It does by default inherit the inheritable properties.
(This is also an option and may be disabled too, by
clearing the "Allow inheritance..." checkbox.)

That includes ownership.

Ownership is never inheritable on Windows. Never has been.

Ownership is to the creator.

How do I prevent a user from taking ownership??

They are NOT "taking ownership"; they are the owner by
definition since they are creating the file.

But anyone with "Full Control" CAN take ownership so
watch out for that too.

Also anyone with "Read and Delete" can copy the file
(owning the copy), delete the original, and thus own 'the
file' (which is now a new file technically.)

This last may seem pedantic or academic but that is
essential the way that WORD and other Office applications
work when modifying a file (except that the app itself
requires modify permission or it just want do it.)

What are you REALLY trying to accomplish? (Not how you
think you wish to do it but what specifically is IMPORTANT
here?)

For instance, if you just want Admins to have access the key is
in the parent directory permissions.

 

[Hank Arnold]

What is happening is that I have one user who keeps creating files on the
shared drive and other users may or may not have the required access. This
generates support calls (and lost productivity). I'm trying to control
access for files on the network drive so that the Administrators group has
ownership of all files.

The Parent/Root folder has the desired permissions and ownership.

What would work would be some kind of batch file or VB script to transfer
ownership of all files and sub folders to the Administrator (or
Administrators group) and run it periodically....

 

[/kj]

Change the NTFS persmission inheritance in the parent directory to apply to
"This folder, sub folders, and files" granting the user security group the
necessary access.

/kj

 

[Herb Martin]

/kj said it correctly already...

What is happening is that I have one user who keeps creating files on the
shared drive and other users may or may not have the required access. This
generates support calls (and lost productivity).

The mistake is not setting the parent directory correctly
(and inheritance but that defaults to what you need.)

Set the "other groups" on the parent directory to have the
correct (inheritable) permissions for them.

New files created will have the correct owner (person
creating the file owns what he creates) and the correct
permissions for everyone.

Note: Creator/Owner should ALSO be set to full control
on the parent in practically all cases.

I'm trying to control access for files on the network drive so that the
Administrators group has ownership of all files.

That is impractically except for static files.

The Parent/Root folder has the desired permissions and ownership.

No it does not. By your other claims parent directory is set
incorrectly -- it fails to include all groups which need permission
in the inheritable set.

You MAY mean the parent directory has the permissions needed
for ACCESS to that parent directory but....

Many people who think they understand permissions and many
books which propose to teach this material do not recognize that
the parent directory can actually be set to (at least) two separate
sets of permissions:

1) Permissions for the directory itself
2) Permissions that will be inherited.

By default these are the same but with care, and probably special
tools you can differentiate these.

While the standard XCALCS.exe can differentiate you may find
that a more flexible (and complex) tool such as "SetACL.exe"
from SourceForge.net is more effective.

Actually there are (at least) three sets of permissions on a directory:
directory access, child file inheritance, AND child CONTAINER
inheritance for child directories.

What would work would be some kind of batch file or VB script to transfer
ownership of all files and sub folders to the Administrator (or
Administrators group) and run it periodically....

You are approaching the problem from the wrong end and
fighting the design of the system.

Just set you parent directory permissions correctly.

 

[Hank Arnold]

Thanks, folks... I'll take another look at it when I get to work today..