Folder creator owner

[Guest]

Hi all,

We have a windows 2000 file server

We recently discover that a Folder Creator Owner could change the folder
permission right. So all our security settings could be over pass by a owner
who set it's own permission.

question: Is there a way to prevent a Owner of a folder or a file to change
the permissions of it ? So, still be the owner, but wihtout the permissions
to change the security settings.


Thanks

Antoine Auger-Giroux

 

[Joe Richards [MVP]]

Nope, the owner of a secured object can modify the Security Descriptor in any
way they want. It is hardcoded functionality.

 

[Roger Abell [MVP]]

one must take away owner status to fully control NTFS permissions

 

[Guest]

Thanks Roger,

Question: Is there a way to define a default owner of folders and files in
Windows 2000 ? Does Windows Server 2003 manage this the same way ?

Our compagny has to be SOX compliance and this situation is causing us
trouble.

Thanks for the help !

Antoine

 

[Joe Richards [MVP]]

No you can not specify a default owner unfortunately. You need to have a program
that scans through and takes ownership as needed. Note that doing this will
impact any disk quota stuff you are doing as that is all based off of the owner.

 

[Roger Abell [MVP]]

Joe has answered you. One must currently provide value-added
code to accomplish this, such as something the is notificed on new
NTFS object creation that then goes in a alters the Owner.
I have proposed years back that we need ability to make container
objects so that new objects either follow the existing rules, or have
owner value inherited from container object. Regretably all Windows
(NT family) versions still follow only the one, old rule for this.

 

[Guest]

Thank's Joe and Roger,

Roger: It would be great if it was include in further version of windows.
When we had to manage security,SOX in mind , everything has to be very
strait...

Joe: Does Microsoft had a tool that can do that ? Or mabe a 3rd party tool ?

Thank's again !

Antoine

 

[Roger Abell [MVP]]

I agree with you completely. It is on my list of things to bug (MS
about for the next generation).

Giving away ownership has always had some situations where it
just plain made specific containment scenarios impossible.

 

[Joe Richards [MVP]]

I am only aware of tools various companies have written for internal use that
unfortunately I am not able to share.