Steven L Umbach said:The owner of a file or folder [ properties/security/advanced/owner] can
always change permissions on it which is what you are experiencing. What
you could do is to manage permissions of the parent folder to manage
access or create the folder for the user and then you will be owner but
allow him to be able to write to the folder to add files and have modify
permissions for "files only" which can be done via special permissions in
the advanced page of security for folder/file properties where a
user/group can be listed more than one with different permissions for the
possibilities in the "apply onto" box. He still could change permissions
on the files but users trying to access the folder directly would get an
access denied without read/list permissions though they may be able to
access a file that they have permissions to if they know that name of it
an specify the full path to the file since by default user have traverse
folder permission. You can also change ownership on any folder/file as an
administrator though in Windows 2000 you can not do that via GUI but there
are tools such as subinacl or fileacl that can so such. --- Steve
Outmama said:When a user creates a folder in a directory in which they have modify
access,
they are able to add users or groups the the newly created folder and
assign
administrative rights..... How do I stop this?
Steven L Umbach said:Just to add that you can use Group Policy to prevent a user from accessing
the security tab for a folder. There is a direct setting for Windows XP/2003
[ user configuration/administrative templates/Windows components/Windows
explorer - remove security tab] though it can still be done for Windows 2000
as per the second link below . This will not stop a skilled user from using
command line tools like cacls though in Windows 2003/XP Pro Software
Restriction Policies you can restrict what a user can run on his computer
including command line tools. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;193826 --- this
works on Windows 2000 also.
http://support.microsoft.com/default.aspx?scid=kb;en-us;303153
Steven L Umbach said:The owner of a file or folder [ properties/security/advanced/owner] can
always change permissions on it which is what you are experiencing. What
you could do is to manage permissions of the parent folder to manage
access or create the folder for the user and then you will be owner but
allow him to be able to write to the folder to add files and have modify
permissions for "files only" which can be done via special permissions in
the advanced page of security for folder/file properties where a
user/group can be listed more than one with different permissions for the
possibilities in the "apply onto" box. He still could change permissions
on the files but users trying to access the folder directly would get an
access denied without read/list permissions though they may be able to
access a file that they have permissions to if they know that name of it
an specify the full path to the file since by default user have traverse
folder permission. You can also change ownership on any folder/file as an
administrator though in Windows 2000 you can not do that via GUI but there
are tools such as subinacl or fileacl that can so such. --- Steve
Outmama said:When a user creates a folder in a directory in which they have modify
access,
they are able to add users or groups the the newly created folder and
assign
administrative rights..... How do I stop this?