• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4525
  • Last Modified:

Removing/Disabling Creator Owner

What are the consequences of disabling/removing creator owner rights to our data share in Windows 2003 R2?
Is there any reason not to do it?
Alternatevly what if we change creator owner rights from full control to modify?
0
IntInc
Asked:
IntInc
  • 4
  • 3
  • 3
  • +1
1 Solution
 
Jay_Jay70Commented:
Hi IntInc,

basically its like it says - permissions for the user who created / owns the share, you will just be affecting him/her.

Cheers!
0
 
IntIncAuthor Commented:
Will removing this permission cauase something else to break?  For example, the user could theoretically create a directory to which they have no access.  Maybe certain apps or parts of Windows depend on it?
0
 
Jay_Jay70Commented:
not that i know of,

when a user creates that directory they have ownership of it and thus gain the priviliges given by the creater owner, if they dont exist then i dont think a user will be able to do anything with the Directory - i could be wrong its an interesting group
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
mrenosCommented:
1. What do you want to achieve with that change of permissions ?
2. The difference if that will full control you can change the Owner of that object, instead the modify where you can't.

Hope this helps.
0
 
IntIncAuthor Commented:
mrenos

1.  I'm trying to lock down access.  By default, Win2003r2 is giving CreatorOwner full control.  I don't want users to have FC of anything.  In fact, I have no reason to give CreatorOwner rights any different than anyone else.

Thus, I'd prefer to remove CreatorOwner, but at least I'd like to set rights to Modify.  However, I don't want to break anything that somehow depends on CreatorOwner having FC or any particular rights.

2.  I understand FC; I'm only wondering about CreatorOwner

Thanks.
0
 
mrenosCommented:
What type of data do you share in that dir ?
0
 
IntIncAuthor Commented:
I'm not sure what you mean by 'type':

They are mostly msoffice files, and a database (for a small app).  It's all company data, shared by the users.

Is that what you meant?
0
 
mrenosCommented:
Yes.
I don't this that you will have any problem changing that permissions from FC to modify.
I only have a hesitation regarding that small app's db. Is that DB's path and file created by administrator or user?

If it's from admin, you will have no problem at all.
Just don't forget, wherever you change the permissions, always add the Domain Administrators group with Full control on that object. just in case, something goes wrong.


Hope this helps..
0
 
Rant32Commented:
The CREATOR OWNER system group is a group that automatically grants the specified NTFS permissions to the, surprise, creator/owner of the object. The creator/owner is a property of all NTFS objects and is completely unrelated to NTFS permissions.

The creator owner can always, by definition, change the Access Control List of any object the user or group has created. This is the only thing a creator/owner can do: if the user is not in the ACL, then the creator/owner still has no rights on the object! The C/O can always change the ACL to include himself and give access.

Imagine you have a folder where the Users group can only WRITE (that includes creating new files and folders) but not read. If the C/O group has no explicit read access, then the user will NOT be able to read the documents he created himself. But the creator of the document can change the ACL and add himself or another group to gain access.

There are no system processes or whatever that depend on the CREATOR OWNER system group. You can safely remove C/O from the shares, as long as other user groups have the correct permissions. Keep in mind that, when a user has Modify permissions, and creates a file, that user effectively has Full Control.
So, modify + owner = Full Control.

I hope this clarifies things.
0
 
IntIncAuthor Commented:
Thanks Rant32.

Is there a way to remove C/O's ACL access?  Will 'taking ownership' do that?  Is there a way to make the default owner the Admin, and not the user who created the object?

Thanks again.
0
 
Rant32Commented:
The C/O ACE is inherited just like all other NTFS permissions; you'll have to remove it from the parent folder structure. As I said, there is no such thing as C/O access, except for the CREATOR OWNER special system group. You can treat that like any other group.

I am not aware of a means to change the ownership behavior, and the creator/owner of a file can be a very useful information as to who owns it.

You can prevent users from changing security on files and folders by taking away their Security tab; that can be done through Group Policy in Windows 2003 or XP SP2. That will not prevent CACLS/XCACLS, but it's a start.
0
 
Rant32Commented:
Oh, thanks for the points ;-)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now