Re: Third-party/scipted ACE/ACL listings

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Corné Bogaarts (does.not.exist_at_bigfoot.com)
Date: 02/14/05

• Next message: andy_p: "Display IP Addresses of Printer"
• Previous message: Torgeir Bakken \(MVP\): "Re: move domain users from local admin groups to local special users g"
• In reply to: Roger Abell: "Re: Third-party/scipted ACE/ACL listings"
• Next in thread: Roger Abell: "Re: Third-party/scipted ACE/ACL listings"
• Reply: Roger Abell: "Re: Third-party/scipted ACE/ACL listings"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 14 Feb 2005 23:34:35 +0100

Assuming this is not about local file-access, setting no more than
'change' on the share does help prevent the issue.
The NTFS-permissions wil be 'Creator Owner' - 'Full Control', yet the
user will not be able to exercise them, since the share-permisssions
'cut them of'.

For local files, your solution is the way to go.

On Sat, 12 Feb 2005 22:04:25 -0700, "Roger Abell" <mvpNOSpam@asu.edu>
wrote:

>Your real solution is a far to little used feature that
>comes with Active Directory.
>If you analyze the storage and structure it so that the
>permissioning is as uniform per area as possible,
>and so that you know what should be permitted upon
>each part, then you just define this in a security template
>that is imported into a GPO that has in its scope of
>application the machine holding the storage.
>As was also pointed out, never give away change.
>However, due to the creator becoming the owner,
>and the owner able to exert any permissions whether
>it is granted to them or not, restricting your grants to
>change at max only goes so far.
>Load into an mmc console the Security Templates
>snap-in and look at the Filesystem portion.

---

• Next message: andy_p: "Display IP Addresses of Printer"
• Previous message: Torgeir Bakken \(MVP\): "Re: move domain users from local admin groups to local special users g"
• In reply to: Roger Abell: "Re: Third-party/scipted ACE/ACL listings"
• Next in thread: Roger Abell: "Re: Third-party/scipted ACE/ACL listings"
• Reply: Roger Abell: "Re: Third-party/scipted ACE/ACL listings"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: NTFS folder permissions - Creator Owner issue (I think) ... I figured out that if I took the creator owner placeholder out of the ... > Are you aware that you can prevent permissions being given to the Creator ... (microsoft.public.security) Re: NTFS folder permissions - Creator Owner issue (I think) ... Are you aware that you can prevent permissions being given to the Creator ... Owner when they create a folder simply by removing the CREATOR OWNER access ... which seems to include the right to change permissions whether we ... (microsoft.public.security) Re: NTFS folder permissions - Creator Owner issue (I think) ... From what you're telling me an owner has rights that cannot ... which seems to include the right to change permissions whether we ... >> the grant to Creator Owner becomes a real grant to the creator or the ... (microsoft.public.security) Re: NTFS folder permissions - Creator Owner issue (I think) ... You can add that deny but it is something the owner can still ... You can explicitly deny the owner the permission to ... set permissions, heck you may even explicitly deny full, and ... > Can't you simply add a CREATOR OWNER access control which denies delete ... (microsoft.public.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.scripting  > 2005-02