How to Prevent Users from Changing Permissions on File Servers
On file servers in corporate environments one typically does not want users to change permissions, even on their own files. It might seem that it would be sufficient to simply grant change permissions instead of full control, but unfortunately that is not the case. The problem is that whenever a new file gets created, the user creating the file will be its owner. And owners can always change permissions, regardless of the contents of the DACL.
In order to prevent “orderly” users from “tidying” the permissions on their files and directories and thus messing things up, often removing administrators from the DACL, too, the following needs to be done:
- Only grant change (aka modify) permissions in the NTFS file system. “Change” does not include the specific right “change permissions”.
- Do not grant full share permissions. Use change + read instead. This masks out the right “change permissions” which owners are implicitly granted. This obviously applies to network access only.
The clever part is not granting “full control” in the share permissions to users. Since administrators still want to be able to modify permissions, I suggest adding a second ACE to each share’s DACL. The resulting DACL now contains the following two entries:
- Authenticated users: change + read
- Administrators: full control
Manually setting, changing and modifying permissions is a tedious job, that can very well be offloaded to scripts. My powerful free tool SetACL manages permissions on shares, in the file system and in the registry. It works on all Windows operating systems from Windows XP onwards. And it does not contain the nasty bugs that essentially make Cacls.exe and XCacls.exe unusable.