Hi,

By default Windows XP/2003 assigns "full control" permissions to
Creator/Owner principal on many files and registry keys. In production
environment, many administrative users may need to support workstations
and servers.

After some time all the workstations and servers get their NTFS and
Registry tattooed with personal permissions for différents
administrators like in the following exemple:


AdministratorA creates a file, the file inherits the following
permissions:

AdministratorA - full control
Administrators - full control
System - full control

AdministratorB creates another file in the same folder, the file
inherits the following permissions:

AdministratorB - full control
Administrators - full control
System - full control

and so on, so the personal admin names and permissions are inserted in
ACLs and it becomes very difficult to analyse if the security policy is
correctly applied or not.

Any suggestions to get rid of this?