NTFS Security path depth > 256 chars

  • Thread starter Frederik De Muyter
  • Start date
F

Frederik De Muyter

Hi,

I have a couple of questions on setting up NTFS security.
First when a user creates a directory under a folder I share, he is the
owner of the folder and can remove admins form the ntfs security. Can i stop
this and how.

Second i'm having troubles setting NTFS security on files or folders that
exceed a depth of 256 characters. I simply get access denied.
Can i changes this?

Third is ther a way to propegate permissions to sub directory's even if i
don't have ownership on the folder.

I hope my questions are clear and if not i'm alway willing to elaborate on
them.

Kind regards,

Frederik De Muyter.
 
R

Robert Kochem

Frederik De Muyter schrieb:

> I have a couple of questions on setting up NTFS security.
> First when a user creates a directory under a folder I share, he is the
> owner of the folder and can remove admins form the ntfs security. Can i stop
> this and how.


Well I would show those users how far they get with such activities: Make a
script which takes over the ownership and add full access for the "default
members" (administrator, SYSTEM)

> Second i'm having troubles setting NTFS security on files or folders that
> exceed a depth of 256 characters. I simply get access denied.
> Can i changes this?


Well MS does not learn that it is a good idea not to use the oldest
available api for a central application as the Explorer (which limits the
path length). Therefore you can not change this behaviour, only using a
third party software which uses Unicode file names -> max path length then
is about 32k.

Robert
 
R

Roger Abell [MVP]

"Frederik De Muyter" <FrederikDeMuyter@discussions.microsoft.com> wrote in
message news:CF5694D2-4CEF-4D94-87D0-76408F62A3CB@microsoft.com...
> Hi,
>
> I have a couple of questions on setting up NTFS security.
> First when a user creates a directory under a folder I share, he is the
> owner of the folder and can remove admins form the ntfs security. Can i
> stop
> this and how.
>


No. The behavior is hardwired in pre-Vista versions of Windows.
You would need a process that events on new object creation and
then sets the ownership to such as Administrators.

> Second i'm having troubles setting NTFS security on files or folders that
> exceed a depth of 256 characters. I simply get access denied.
> Can i changes this?


The max path is an old limitation in Windows.
One can use the subst command to define a drive letter for
part of the excessive length path and then access via that.

>
> Third is ther a way to propegate permissions to sub directory's even if i
> don't have ownership on the folder.
>


Sure, but the account doing so need to have the permission to change
permissions (a part of the Full control grant, but can be granted alone).

Usually when taking ownership is needed there also is no grant to
the administrative accounts used to take ownership, so instead of
sure the answer practically speaking is no, not it there is no grant
to system or administrators (or any group allowed to take ownership).


> I hope my questions are clear and if not i'm alway willing to elaborate on
> them.
>
> Kind regards,
>
> Frederik De Muyter.
>
>
 
Back
Top Bottom