Question : NTFS ACLs and file ownership transfer

Hello all,
I'm currently reading the Windows Administration Productivity Solutions for IT Professionals, which is a great guide on setting up Active Directory infrastructures, and designing a Role Based Access Control environment. (RBAC).

I currently have an infrastructure in place with about 3000 users and some 33000 students. I am taking on the challenge to revamp everything in there to comply with an RBAC system, rather than what I have inherited, which is really very rudimentary and insecure, and most of all, un-audit-able.

The concept of the RBAC seemed to make sense. in particular I have a question regarding an item:
The best practice is to create a shared folders for departments, and contrary to general practice, it is recommended that only EDIT permissions be given to the department security group role. (meaning, no delete), and then giving the OWNER CREATOR access to for deleting their own files.
I think this is a great system, that will avoid having people delete each other's files on purpose, or accidentally, while still allowing them to create and modify each other's files.
This is done by setting the ownership on the files and/or folders, and assigning the correct permissions.

Now my question:
Let's say John Doe used to work in Marketing, and had access to the marketing share, he created a bunch of files and folders of which he is now the owner, and the rest of the department can modify, but not delete his files.
Suddenly John Doe find a new job, and he's out. Now, I have a bunch of scattered files and folders with him as an owner over them, (or his now orphan SID as owner) Short of taking ownership of the parent folder, which would also mean taking ownership of other user's files in that department (which, of course, I wouldn't want to do)  I don't really see an easy way to transfer over the ownership of John's files to the person replacing him within this model.

Is anyone out there using RBAC, and particularly this system of file ownership, and if so, how are you managing file ownership transfers upon employee arrival or departure.. ?

I love the system, but I want to try to think long term first, before implementing something that sounds like a great solution, and then end up being stuck with big caveats and management nightmares...

Looking forward to hearing your opinions.

Answer : NTFS ACLs and file ownership transfer

Found this on MS forums:

> When trying to install Windows Defender, I was getting the following error
> "Service 'Windows Defender' (WinDefend) failed to start. Verify you have
> sufficient privileges to start system services."
> 
> My problem was due to Spyware or a virus. I got rid of the Spyware by using
> AVG and MalWareBytes but was still not able to install Defender (also I had
> never had Defender installed on the PC).
> 
> Here is how I fixed it:
> Searched the Registry for any "Defender" entries. Found an entry under
> "HKLM\Software\Microsoft\Windows Defender". When I tried to delete it
> (Windows Defender folder) I found I could not due to not enough rights. So I
> right-clicked the folder selected "Permissions" for this folder and gave the
> Administrator FULL rights (it had only READ). I was then able to delete this
> registry folder.After this I was able to install Windows Defender without any
> problems. I believe that the Spyware or virus I got added this entry to the
> registry to prevent me from installing Windows Defender.



Also check out this:

http://smartnetadmin.blogspot.com/2010/08/error-1920-windows-defender-service.html