Prevent owner to change permissions on network share

storage network-share server-message-block sun

is obviously related to the Sun Appliance. Something like inheritance behaviour or similar on the appliance itself. I will look into that.

No, it is how Windows ACLs work. The owner is always allowed to change ACLs on her objects. You can prevent this for shared content by using a share which is only allowing "Everyone:Modify" permissions as this will "filter out" any change ACL requests at the share level. If you want to allow your Administrators to change ACLs, just add "Storage Admins:Full Control" to the share permissions.


Ok, figured it out. In Windows you have only 3 choices on the share level: read, change, full control.

windows acl

In the appliance you have the full set of permissions on the share level and a dropdown box to choose: sun acl

If you choose "Modify" in the upper left corner the checkmarks will be set accordingly. The checkmark "Delete Child" however is not set when you choose "Modify" and this is the problem. If I choose "Modify" and check "Delete Child" on the share level plus setting "Modify" for Domain Users on the Root Directory everything works as expected.

Related

Strange GET requests in logs
What rule can I use in ModSecurity to log POST payload for a specific site?
FTP Active vs passive mode
Migrate from Exchange 2010 to Exchange 2016
DNS resolve timeout on RHEL 6.3 behind firewall
Is it possible to add a local user to the admins group through group policy?
bind9 in a chroot jail - necessary or not?
How can we open our firewall to allow Google Analytics?
Testing nameserver configuration using it
Possibility of WAN Optimization for SSH traffic
Is there a sensible way of 'teaming' two ADSL connections?
postfix discard or change Message-ID header based on another header line