VNX CIFS - prevent users from taking ownership

is there a reason you are using "Administrators" group ?

Isnt that the same behaviour as on a native Windows server ?

The default behavior is related to the presence of the CREATOR OWNER object in the security permission list. If you have CREATOR OWNER present at share/folder level then all files will be "owned" by the user who creates it. If you don't have it then the owner will be inherited. Somehow this is the behavior here but we removed CREATOR OWNER initially to prevent this from happening.

We have a similar configuration here, the problem is that although CREATOR OWNER was removed from the NTFS permissions list the users are still getting ownership over the files/folders they create inside the share. And by getting ownership they can modify permissions further on the folder and remove Admins permissions.

If you have removed CREATOR OWNER can you try to create a folder inside a share onto which you have modify access with a non Administration user and check the Ownership tab afterwards?

For us, each time I create a new folder with my non-admin credentials, the folder reports the owner is CIFS-SERVER\Administrator.  As an ordinary user, I can add ACLs to my own folder, i.e. grant access to other users, since I have "Change Permissions", but I cannot change the owner to myself, since I do not have "Take Ownership" rights.  The Local Administrators group on each CIFS server contains both Domain Admins and another Adminstrative Group (say, NAS Admin group) - these users are able to change permissions on user files, in cases where users bork something up on their own.

Have you considered simply removing Take Ownership and possible Change Permissions as well?  It's easy to change with Windows command line tools like iCACLs or PowerShell's get-acl/set-acl.

Also, have you taken a look at the Effective Permissions within Windows Explorer?  I'd be curious to see if users indeed have Change Permissions at both the root and lower levels of the shares.

For simplicity, we set the owner of all fileshares to the Administrator account on each CIFS server, then give users everything except Full Control and Take Ownership.  Once you enable inheritance at the root, this propagates down.

In cases where I've seen the owner is "UNIX UID=0x0", this isn't usually desirable for us - I would take ownership and change the owner to Administration.  This allowed all of our admins to provide management via Windows MMC, without having to have access to the VNX GUI as well.

By removing Take Ownership won't help, by default users don't have Take Ownership nor Change Permissions. Those two boxes aren't checked. Also, take ownership would apply for already created folders the behavior here is the user becomes an owner automatically when he creates a folder. Basically the structure is like this:

1. C$ (C drive of CIFS Server) -> UNIX GID=0x1" has special permissions and is also owner

2. Filesystem -> CIFS Servers Administrators group and Domain Admins have Full Control, UNIX UID=0x0" is owner

3. Folder in which shares are created -> CIFS Servers Administrators group and Domain Admins have Full Control, CIFS Server Administrators are owners

4. Share -> CIFS Servers Administrators group and Domain Admins have Full Control, a security group with Read rights and a security group with modify rights. CIFS Server Administrators are owners.