As I understand it, if a user creates a folder they become the owner and can control NTFS permissions including removal of inherited permissions granted to Domain Admins.
What is the best approach to prevent Domain Admins from being denied access to network folders? These are some of the approaches I have read about:
- You shouldn't be trying to prevent users from changing permissions on the folders they create.
- Schedule a script that takes over ownership of any folders that Domain Admins cannot access (sidebar question: if you change owner does that replace [i.e. remove] the ACE that granted full control to the original owner?).
- Use a combination of Share permissions change and read) and NTFS permissions (modify) to limit Authenticated Users' ability to change permissions as described by Helge Klein.
Best Answer
This seems more like a management issue than a technical one. Taking ownership with a script or trying to block the few people that would ever play with permissions is more trouble than I think it would be worth.
In the past, we've made personal folders completely inaccessible to domain admins, but there are inevitably times when people call up and ask "can you check something in my personal directory?"
So we follow a policy that admins have to be able to read everything (with a few exceptions). If we ever come across a folder where someone has blocked admin access, we find out why, explain why we think it's better that we have access, and we change the permissions back to our default. If it happened while we were tracking down a problem, that's why we have the policy: so we could simply take control at the time and sort it out later.