How to Prevent Users from Changing Permissions on File Servers

Tips and Tools
Published Jan 9, 2009 Updated Aug 6, 2012

On file servers in corporate environments one typically does not want users to change permissions, even on their own files. It might seem that it would be sufficient to simply grant change permissions instead of full control, but unfortunately that is not the case. The problem is that whenever a new file gets created, the user creating the file will be its owner. And owners can always change permissions, regardless of the contents of the DACL.

The Solution

In order to prevent “orderly” users from “tidying” the permissions on their files and directories and thus messing things up, often removing administrators from the DACL, too, the following needs to be done:

Only grant change (aka modify) permissions in the NTFS file system. “Change” does not include the specific right “change permissions”.
Do not grant full share permissions. Use change + read instead. This masks out the right “change permissions” which owners are implicitly granted. This obviously applies to network access only.

The clever part is not granting “full control” in the share permissions to users. Since administrators still want to be able to modify permissions, I suggest adding a second ACE to each share’s DACL. The resulting DACL now contains the following two entries:

Authenticated users: change + read
Administrators: full control

Automation

Manually setting, changing and modifying permissions is a tedious job, that can very well be offloaded to scripts. My powerful free tool SetACL manages permissions on shares, in the file system and in the registry. It works on all Windows operating systems from Windows XP onwards. And it does not contain the nasty bugs that essentially make Cacls.exe and XCacls.exe unusable.

ACE DACL Permissions SetACL Share

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Finding (Executables in) User-Writeable Directories

Finding (Executables in) User-Writeable Directories

This article presents two different detection types for insecure filesystem permissions on Windows endpoints: scanning for directories that are user-writable, and detecting processes that are started from user-writeable directories. Directory Scan With ListUserWriteableDirectories & SetACL My ListUserWriteableDirectories script is an implementation of the first detection type: it scans the filesystem listing any permissions not known to be safe.

How to Modify Default Share Permissions and Other Tweaks

NTFS permissions are stored in the file system, that is well known. But where are share permissions stored? As so often with Windows: in the registry. Network shares are defined by only a handful of relatively simple registry entries stored in the server service’s key which is, for historical reasons that go back way beyond OS/2, named “LanmanServer” (the workstation service is similarly named “LanmanWorkstation”).

Windows Internals

Permissions: A Primer, or: DACL, SACL, Owner, SID and ACE Explained

Updated: 2021-06-22 Every object that can have a security descriptor (SD) is a securable object that may be protected by permissions. All named and several unnamed Windows objects are securable and can have SDs, although this is not widely known. There does not even exist a GUI for manipulating the SDs of many object types! Have you ever tried to kill a system process in Task Manager and got the message “Access denied”? This is due to the fact that this process’ SD does not allow even administrators to kill the process. But it is, of course, possible, as an administrator, to obtain the necessary permissions, provided a GUI or some other tool is available.

Windows Internals

Samba File Server With POSIX ACLs in a Docker Container

Samba File Server With POSIX ACLs in a Docker Container

This article explains how to set up a Samba file server as an Active Directory domain member in a Docker container. This newer configuration differs from my earlier setup in one essential point: it uses POSIX instead of Windows ACLs, simplifying the administration and making it possible to modify files via other protocols than SMB. This post is part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server with dockerized or virtualized services.

Home Automation, Networking & Self-Hosting

Latest Posts

WSL Disk Space Cleanup

WSL Disk Space Cleanup

The Windows Subsystem for Linux (WSL) stores its virtual hard disks in the user profile on drive C:. These VHDX files can grow up to 1 TB in size, making it necessary to clean up and reclaim space occasionally. This article shows how.

Virtualization & Containers

Changing the Location of PowerShell Profile Scripts

A PowerShell profile is an init script that is executed when the shell starts. PowerShell searches for profile scripts in hard-coded locations. This article explains how to move profile scripts to any directory of your choice.

Changing the Location of the Windows Terminal Settings Files

Changing the Location of the Windows Terminal Settings Files

Windows Terminal stores its settings in configuration files that resides in the Windows user profile. This article explains how to move them to any directory of your choice. Where are the Settings Files Located? The location of the Windows Terminal settings file is hard-coded. The exact path depends on the app variant you installed, but it’s always in the user profile:

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.