Here is my scenario:
The "accounting" group has an NTFS file share called "reports". I need to give the accounting group access to create, delete, and modify files and folders within the reports folder.I also need to restrict their ability to change the permissions on any files and folders within the reports folder.
Currently I have granted "accounting" the "modify' set of permissions on the reports folder. This level of access leaves change permissions unchecked. However, when I login as 1 of the users I am able to create a new subfolder, grant myself full control, disable inheritance, and so on... I also tried explicitly denying the change permissions privilege, but that make no difference.
How do I restrict "change permissions"?