07-09-2005, 10:51 PM
Not sure if I'm missing a major security check here or not but all my users
seem to be able to view the security tab on the properties of a folder and
make changes i.e removing groups, administrators group and adding users from
I didn't think this was possible but a user has taken it up on himself to
protect his folder and now other users are doing it in the shared FS's.
Should they be able to do this? Am I missing something here?
I have a Windows 2003 server and XP desktop network and AD infrastructure.
Thanks in advance
07-09-2005, 10:51 PM
Whether they should be able to do this or not is a deployment decision
on your part. Given your concern/surprise I gather your policy would
be that they should not have this ability.
If the users have nothing higher than Modify granted, then they will not
be able to alter the permissions, with one qualification. You should
look at the NTFS permissions granted, and use the Advanced tab, to
see exactly what permissions are being granted on the filesystem objects.
The qualification mentioned is that the Owner of an object can always
alter the premissions on what they own. An account that defines a new
object (folder or file) will be its owner. So, that account can change
their own permissions from modify at most to full, which includes the
permission to change permissions, and then do what they will with the
What can you do?
Well, as you indicate that these users access the storage using a share,
set the share level permissions so that they are not Full, but only Change
at most. Since the share permissions state an upper limit on what NTFS
permissions are allowed to be used when access is not local, this will
prevent the Owner from using more than modify even if they elevate
their granted NTFS permissions.
The other thing you can do is to define the folder structure for them and
then not allow them to define new folders. This really does not do all
that much but frustrate them, as they will not be able to become Owner
of any folders, and so will have to live within the NTFS permissions
you have placed on the folders (meaning that they will only be able
to take over the NTFS permissions on a file by file basis).
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Ziguana" <Ziguana@discussions.microsoft.com> wrote in message
> Not sure if I'm missing a major security check here or not but all my
> seem to be able to view the security tab on the properties of a folder and
> make changes i.e removing groups, administrators group and adding users
> the domain.
> I didn't think this was possible but a user has taken it up on himself to
> protect his folder and now other users are doing it in the shared FS's.
> Should they be able to do this? Am I missing something here?
> I have a Windows 2003 server and XP desktop network and AD infrastructure.
> Thanks in advance