Prevent user changing ACL / folder rights

[Cyberscrap]

Hi.

This is my first post here so my apologies if i'm breaking some local laws.. I am asking my question here because there seem to be some talent present.

I am building a new structure on my fileserver with a strict acl but i seem to be running into some limitation (?) that I do not understand..

The main problem is that end users should never be able to change any acl,.. never ever ever! BUT when i give a user modifing rights so they can create, but cannot chance any folder rights they are still the owner of this folder and the owner CAN set the folder rights! Another user is not able to change this but the owner will!

I want users to be able to create folders but 'system' or yours truly to be the owner.. Anybody but the end-user.

I have even set an explicit DENY on ownership & folder rights but without success.

Background information:
Fileserver= virtualized WS2008R2 running on HyperV
Disc= San mapped with iscsi on hyperv.
..not that it matters...

[Kh@LnaYak]

Hey you can just refer to the below thread and see if you are able to get any help from the same, it is similar to your case.
NTFS Permissions to allow saving but prevent changing

[Cyberscrap]

Hi.

Thanks for the reply. I had previously landed on this topic but did not carefully study it. Nonetheless it has no use for my situation..

Even in the situation in the other topic the files created have the actual creator set as owner and is therefor allowed to set specific permissions on this file.. Ofcourse this has no effect since the deny for writing.

A partial problem is that a user can copy (or move) his own folders to our fileserver but when a folder gets moved, the acl gets moved with it. From ancient times and the previous it'r the current fileserver is a true mess.. acl's have been set on many levels. This old structure must remain but many users will be moving there data from the old fileserver and moving the acl's with it... This could be prevented by deleting all acl's in advance... so this can be solved.

But there are some other users here that KNOW what file security is... and THINK they are experts...

So basicly.. when a user creates a file or folder.. how do i prevent them from setting any acl and ONLY using the inherited ones?

[Janos™]

I think that the The OWNER RIGHTS SID in Windows Server 2008 allows administrators to assign ownership to a user or group, but provides a mechanism by which that user or group can be prevented from changing permissions on the object. If you set DENY permission for WRITE_DAC (Change permissions) on subfolders and files as shown below, when a user is removed from a group that is used to assign permissions to object(s), the user won’t be able to regain access to objects created by modifying the ACLs.

Code:

OWNER RIGHTS:(OI)(CI)(IO)(DENY)(special access:)                                   WRITE_DAC
  NT AUTHORITY\SYSTEM:(OI)(CI)F
  FILESERVER\Accounts:(OI)(CI)C
  BUILTIN\Administrators:(OI)(CI)F

[Cyberscrap]

Thanks! This totally answered my question!

Setting an explicit deny for the user 'Owner rights' (had to look it up :-s) removed the creator of setting any permissions.

Downside is the lack of exceptions.. if i would create a folder myself to assist the end-user.. i will not have any rights to set permissions myself.