Have you looked into using the Creator Owner group on the folder where users are allowed to create files? In other words, if users are given the right to create a file they become its owner, so you could use this permission to deny them the ability to set permissions.
Are users' administrators on their desktops? If so, they can fix the above and change permissions on folders.
It is possible to set permissions on the domain user object in AD, but I don't think you want to do so. This could have unintended consequences.
In summary, best practices are to not make users administrators and not allow local folders to be shared.
Dig Deeper on Windows 10 security and management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.