NTFS permissions: users changing permissions by unchecking "inherit permissions from parent"

NTFS permissions: users changing permissions by unchecking "inherit permissions from parent": Posted by craig.knights@gmail.com on May 22nd, 2007; I have 500 student home folders on a network share (Student Work) and
each student has full access to their own folder.

I have a deny permission on the Student Work share that denies both
"take ownership" and "change permissions". Each student folder
inherits this deny permission from (Student Work). This is to stop
the students messing with the permissions so they can share files
amongst themselves and try to keep me out.

The problem is they can still uncheck the "Inherit from parent the
permission entries that apply to child objects...." that is in the
advanced tab. Then they can change the permissions on their folder.

I have tried explicitly setting the deny changing of permissions on
each students folder. This might work for their folder but they can
still uncheck the inherit permissions on each subfolder they make and
lock me out (at least until I notice and delete and recreate the
permissions).

Any ideas out there?

Thanks
Craig; Posted by Anthony on May 22nd, 2007; Change permissions on the Share, and Modify permissions on the folder,
sounds as though it would do what you want,
Anthony
http://www.airdesk.co.uk

<craig.knights@gmail.com> wrote in message
news:1179828286.151262.65250@n15g2000prd.googlegro ups.com...; Posted by Herb Martin on May 22nd, 2007; <craig.knights@gmail.com> wrote in message
news:1179828286.151262.65250@n15g2000prd.googlegro ups.com...
You cannot deny the user from changing permissionso on files the
user OWNS with NTFS alone -- the owner can always change
NTFS permissions despite the NTFS permissions.

It's THEIR FILES, they have the RIGHT to keep you out of them.

Yes, 99.99% of the time this is entirely appropriate -- especially
in the University setting (non-corporate or enterprise) where the
business doesn't really own the data produced by the "workers".

Why are you doing this to THEIR files?

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site); Posted by craig.knights@gmail.com on May 22nd, 2007; Because it is a (relatively conservative religious based) high
school. Students from 10 to 18 years old. They hide and share their
stashes of p o r n and games and the silly programs they try to use to
crack into the network.

I also need to be able to drop files into their folders from time to
time for classes.

It is not a corporate environment.

I don't snoop at the contents of their files. I just get rid of stuff
that shouldn't be on a school disk.

It also makes removing the data when students leave a little more time
consuming.

Craig; Posted by Herb Martin on May 23rd, 2007; <craig.knights@gmail.com> wrote in message
news:1179870101.509811.258680@y18g2000prd.googlegr oups.com...
Do try/test using the SHARE permission set to CHANGE (not FC)
and the Permissions on files set to Modify (not FC.)

This should work for files on shares but you can never really control
the permissions on LOCAL files since the owner can always override.

You can however take ownership of all files (nightly?) and give back
ENOUGH permissions for the user to do what is legitimate.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site); Posted by not@lawyer.but on May 23rd, 2007; "Herb Martin" <news@learnquick.com> wrote in news:#CH8SnHnHHA.4628
@TK2MSFTNGP06.phx.gbl:

But it's not THEIR computer, so they don't have the RIGHT to do whatever
they want there. It is quite normal for them to have agreed to some
conditions of use for the machines that they do not own but are being
permitted to use. They do have the RIGHT not to put THEIR files there if
they do not agree with those conditions.
The owner of the machines should have the right to ensure that nothing is
done or placed there that may break rules of conduct of the school or
laws of the land. After all, the owner of the machine could conceivably
be held legally responsible.

It sounds like it is being done to the place where the files are kept
(which is NOT THEIRS). If they don't like it, they could simply not put
THEIR files there. Just my opinion - others may disagree.

To perhaps answer the orignal question: don't give them "full" access,
but only "modify" permission (this will turn on the checkboxes below that
as well). Completely remove the permissions for "creator owner", users,
"authenticated users", and so on. Make it so that the only permissions
showing are for "Administrators" (full), SYSTEM (full), and the
individual user (modify). The top level should probably just have admins
and the system, inheriting down to child objects. You may not even need
the SYSTEM permission if you don't want to do anything that requires this
(some backup methods, etc). Then add each user's modify permission to
the subfolder you create for that user, and set that to inherit down to
child objects.
Don't worry much about "deny" permissions, just make sure that there are
no "allow" ones that you don't want.
I'm assuming that none of them are administrators - if they are, there's
nothing you can do to limit them.

Also note that if you want to use quotas to limit diskspace, you must
leave the users as owners of the files, as the file's space counts
against the owner of the file.

Similar Posts

Difference of entries in tabs "Sharing permissions" vs. "Security" ? (Help and Support) by Martin Caldwell
NTFS permissions to "lock" a folder (Windows Server) by guido_brasletti
XP Pro: drive sharing permissions: works with "everyone", not with users (Networking) by George
Explanation of "Inherit from... " and "Replace permissions..." (Security & Administration) by PancakeBatter
"Best practices" for Users' home directory file permissions (Windows Server) by Craig