Prevent owner to change permissions on network share

is obviously related to the Sun Appliance. Something like inheritance behaviour or similar on the appliance itself. I will look into that.

No, it is how Windows ACLs work. The owner is always allowed to change ACLs on her objects. You can prevent this for shared content by using a share which is only allowing "Everyone:Modify" permissions as this will "filter out" any change ACL requests at the share level. If you want to allow your Administrators to change ACLs, just add "Storage Admins:Full Control" to the share permissions.


Ok, figured it out. In Windows you have only 3 choices on the share level: read, change, full control.

windows acl

In the appliance you have the full set of permissions on the share level and a dropdown box to choose: sun acl

If you choose "Modify" in the upper left corner the checkmarks will be set accordingly. The checkmark "Delete Child" however is not set when you choose "Modify" and this is the problem. If I choose "Modify" and check "Delete Child" on the share level plus setting "Modify" for Domain Users on the Root Directory everything works as expected.