I think that the The OWNER RIGHTS SID in Windows Server 2008 allows administrators to assign ownership to a user or group, but provides a mechanism by which that user or group can be prevented from changing permissions on the object. If you set DENY permission for WRITE_DAC (Change permissions) on subfolders and files as shown below, when a user is removed from a group that is used to assign permissions to object(s), the user won’t be able to regain access to objects created by modifying the ACLs.
Code:
OWNER RIGHTS:(OI)(CI)(IO)(DENY)(special access:) WRITE_DAC
NT AUTHORITY\SYSTEM:(OI)(CI)F
FILESERVER\Accounts:(OI)(CI)C
BUILTIN\Administrators:(OI)(CI)F
Bookmarks