How to Prevent Users from Changing Permissions on File Servers

Tips and Tools
Published Jan 9, 2009 Updated Aug 6, 2012

On file servers in corporate environments one typically does not want users to change permissions, even on their own files. It might seem that it would be sufficient to simply grant change permissions instead of full control, but unfortunately that is not the case. The problem is that whenever a new file gets created, the user creating the file will be its owner. And owners can always change permissions, regardless of the contents of the DACL.

The Solution

In order to prevent “orderly” users from “tidying” the permissions on their files and directories and thus messing things up, often removing administrators from the DACL, too, the following needs to be done:

Only grant change (aka modify) permissions in the NTFS file system. “Change” does not include the specific right “change permissions”.
Do not grant full share permissions. Use change + read instead. This masks out the right “change permissions” which owners are implicitly granted. This obviously applies to network access only.

The clever part is not granting “full control” in the share permissions to users. Since administrators still want to be able to modify permissions, I suggest adding a second ACE to each share’s DACL. The resulting DACL now contains the following two entries:

Authenticated users: change + read
Administrators: full control

Automation

Manually setting, changing and modifying permissions is a tedious job, that can very well be offloaded to scripts. My powerful free tool SetACL manages permissions on shares, in the file system and in the registry. It works on all Windows operating systems from Windows XP onwards. And it does not contain the nasty bugs that essentially make Cacls.exe and XCacls.exe unusable.

ACE DACL Permissions SetACL Share

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Hard Links and Permissions / ACLs

Commenter Lee asked how ACLs are evaluated when an object has multiple hard links. I replied with comments of my own, which turned out to be wrong after I did some experiments. Here is what I found out about hard link permissions and believe to be true.

Windows Internals

Taking Ownership Fails With UNC Path, Works Locally!?! Why?

Here is an interesting tidbit related to Windows security: Create a test file share, e.g. C:\temp\test, and share it with full permissions for everyone (share, not NTFS permissions) as “test” Create the following directory hierarchy below the share: C:\temp\test\1\2\3\4 Assign ownership of the four folders 1, 2, 3 and 4 to any user (but do not use your own account, just anyone else’s) Set permissions on 1, 2, 3 and 4 that only the user from the previous step has full access, nobody else, not even the SYSTEM Now try to use SetACL to change the owner of directory “4” over the network (SetACL uses backup and restore privileges so this should be no problem) by issuing the following command locally: setacl -on \localhost\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator SetACL will fail with access denied (full message: “ERROR: Writing SD to <\?\UNC\localhost\test\1\2\3\4> failed with: Access is denied.”) Now issue the same command, but instead of using a UNC path use the local drive letter: setacl -on c:\temp\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator That works! Why is this so? I have no clue.

Windows 7 Default HKCU Registry Permissions

This is a complete listing of all Windows 7 HKEY_CURRENT_USER registry permissions. The list was generated on a 32-bit installation with SetACL. More default permission listings can be found here.

How to Modify Default Share Permissions and Other Tweaks

NTFS permissions are stored in the file system, that is well known. But where are share permissions stored? As so often with Windows: in the registry. Network shares are defined by only a handful of relatively simple registry entries stored in the server service’s key which is, for historical reasons that go back way beyond OS/2, named “LanmanServer” (the workstation service is similarly named “LanmanWorkstation”).

Windows Internals

Latest Posts

Introducing Sambee, Your Browser-Based File Manager for SMB Shares and Local Drives

Introducing Sambee, Your Browser-Based File Manager for SMB Shares and Local Drives

Sambee is a browser-based viewer and manager for files on SMB network shares and on your computer’s local drives. It supports single-pane and dual-pane views and can replace Windows File Explorer as well as Norton Commander-style tools on your PC and on your phone. And yes, it’s free and open source.

WSL Disk Space Cleanup

WSL Disk Space Cleanup

The Windows Subsystem for Linux (WSL) stores its virtual hard disks in the user profile on drive C:. These VHDX files can grow up to 1 TB in size, making it necessary to clean up and reclaim space occasionally. This article shows how.

Virtualization & Containers

Changing the Location of PowerShell Profile Scripts

A PowerShell profile is an init script that is executed when the shell starts. PowerShell searches for profile scripts in hard-coded locations. This article explains how to move profile scripts to any directory of your choice.

Changing the Location of the Windows Terminal Settings Files

Changing the Location of the Windows Terminal Settings Files

Windows Terminal stores its settings in configuration files that resides in the Windows user profile. This article explains how to move them to any directory of your choice. Where are the Settings Files Located? The location of the Windows Terminal settings file is hard-coded. The exact path depends on the app variant you installed, but it’s always in the user profile: