Allow user to change permissions on a folder, but not remove/change Domain Admins access?

file-sharing file-permissions active-directory

We're a small college, and I have one file share for an athletics team that I want to turn over to the coach. We don't track or have a group for athletic team members in Active Directory, and the coach wants to exclude certain people from certain sub-folders, so I want the coach to be able to add/remove accounts for his team directly in the security tab of the folder on his own. He knows enough and is tech-savvy enough to be able to handle this.

What I don't want him to be able to do is add/remove any of administration groups or special accounts: SYSTEM, Network Services (the folder is used with a web app), Domain Admins, AthleticDeptAdmin, etc.

Is it possible for me to give him access to change some of security options without giving access to remove those other permissions?


Solution 1:

This is easy. As an example: make a sub folder called "Soccer" and make a matching group. Then delegate the ability for someone in athletics to add or remove users to the Soccer security group. As long as the Soccer group has sufficient access on the NTFS ACL for the Soccer folder, they won't need to touch file permissions at all.

People in the Soccer group will be able to see the Soccer sub folder.

enter image description here

enter image description here

Solution 2:

The short answer is no. If a user can change permissions on something, they can change all the permissions. But if you trust the person to edit the permissions in the first place, can't you trust them not to screw them up by removing the important pieces? Or better yet, how about you trust them until they screw up. Then re-evaluate the situation.

The only technical way around this is to provide some sort of front-end for changing the permissions. The front-end has the "real" access to change permissions, but only lets the user change the permissions that should be editable. It's way overkill for something like this, but it would theoretically work.

*Edit: I should point out that even if they do remove Domain Admin privs from the folder, it doesn't mean you lose access forever. It just means your app is broken until someone realizes what happened and re-establishes the correct permissions. As Domain Admin, you'll always be able to reset the ownership of the folder and re-add the permissions.

Related

options for a natively supported, remote file transfer on Windows Server 2008 R2
Allow AD user to set passwords but no other attributes
PAM unable to dlopen(/lib64/security/pam_fprintd.so) causing CentOS/Redhat server to crash
Linux cached memory: Over 85% of cached memory and using swap
Does rsync preserve ACL?
Store Cron Jobs into a database
Is there a "native mode" for every domain functional level?
AIDE - How to exclude whole folders?
Assigning multiple IPv6 addresses on a Server
Primary DNS server removed, can I change secondary to primary?
Install Composer on Ubuntu
Jumbo Frames, ISCSI and ESXi