1
I want to prevent file permissions from being edited by non-admin users in my server share. I tried to grant only "Modify" permissions (without "Change Permissions" and "Take ownership" privilege):
This works for existing files, but if a user creates a new file in this share, he becomes the file owner. As owner he can change all permissions! This was tested in Windows Server 2016.
Tobia
Posted 2017-12-18T12:27:47.220
Reputation: 2 022
2
If a user creates a new file in this share, he becomes the file owner. As owner he can change all permissions!
Solve this by configuring the Share Permissions by which the user accesses the folder over the network to only grant Change and Read permissions to the Everyone identity:
You can optionally grant the Administrators group the Full Control permission if desired, so long as the target user is not a member of that group.
Explanation
An NTFS object's (e.g. file or folder) owner always has the ability to read and change permissions on the object. Even if you were to Deny all NTFS permissions to an object's owner, they can bypass these permissions and set them to whatever they wish.
However, when accessed via a network share, both the NTFS permissions and the Share permissions are taken into account, and the more restrictive permissions apply. Therefore if we do not grant the Full Control share permission to the user, they cannot exercise their right as owner of an object to change the permissions of objects in that share. As a result, whatever permissions are granted by the remote computer's NTFS filesystem truly become the Final Word as to what the user can do.
I say Reinstate Monica
Posted 2017-12-18T12:27:47.220
Reputation: 21 477