Restrict access at the share level.
https://superuser.com/questions/1278120/prevent-user-to-change-file-permission-on-its-files
You can use takeown.exe to reset ownership on files and folders. The one downside to this is that you might have reset every file/folder in the entire folder structure.
Here's a Powershell script that you can use to report on ownership, and reset the owner for files/folders that do not match the specified group.
$folder = "C:\Temp" # the folder to analyze
$update = $false # $true or $false, to update the owner. Set this to flag to run a report.
$admins = New-Object System.Security.Principal.Ntaccount("BUILTIN\Administrators") # The account that you want to own the files/folders
Get-ChildItem $folder -Recurse | foreach { # add the -Directory switch to GCI to only look at directories
$acl = Get-Acl $_.FullName
if ($acl.Owner -ne $admins.Value) {
$owner = $acl.owner # save the original owner
if ($update) { # if $update -eq $true, then update the owner
$acl.setowner($admins)
Set-Acl $_.FullName -AclObject $acl # -whatif
"*Updated* - {0} - {1}" -f $owner, $_.FullName
} else {
"{0} - {1}" -f $owner, $_.FullName
}
}
}