"Creator Owner" & "Owner Rights" Permissions in Server 2008 / 2012

Posted on 2014-08-11
Medium Priority
Last Modified: 2016-02-23
I am setting up a new file server running Server 2012 R2.  I have created shares for each department.  For example, there is a Marketing share that only members of the Marketing group have modify access on.  In this example, Mike is a member of the marketing group and has modify access to the Marketing folder.  

My problem is that when Mike creates a folder / file within the Marketing folder that he is given Full Control of the object he created.  Mike can then go in and set permissions on that object.  I do not want to give Mike, or any other user,  the rights to change permissions on the objects that they create.

During my research it seems that Microsoft introduced the "Owner Rights" principal beginning in Server 2008 to which you can set NTFS permission upon.  I went ahead and added "Owner Rights" to the NTFS permissions on the Marketing folder and gave it Modify access.  My permissions are as follows:

- Administrators (Full Control of This folder, subfolders and files)
- System (Full Control of This folder, subfolders and files)
- Creator Owner (Full Control of Subfolders and files only)
- Marketing Group (Modify of this folder, subfolders and files)
- Owner Rights (Modify of Subfolders and files only)

The problem with these permissions is that Mike can still edit the permissions of files and folders that he creates.  If I remove "Creator Owner" then Mike can still create folders / files but he is no longer able to change the permissions on the item.  

It was my understanding that "Owner Rights" would take precedence over "Creator Owner" but I may be wrong.  If I am assigning "Owner Rights" to the Marketing share then is it safe to simply remove "Creator Owner"?
Question by:csimmons1324
LVL 23

Assisted Solution

rhandels earned 1000 total points
ID: 40255031

Nope.. Microsoft'v view on this is that, while giving permissions (not denying permissions) the setting with the most permissions will be applied.

Also, it's the their general idea that a user who creates a file is the owner and therefore is entitled to give out permissions to those files and folders. The solution to this is quite easy (if you are the one who always wants to set permissions), just remove the Creator Owner user from the permissions tab. It has no other use than to give the creator of a folder the option to set permissions. Also, removing it will not effect your permissions strategy at all.
LVL 26

Assisted Solution

by:Lionel MM
Lionel MM earned 1000 total points
ID: 40255360
You question is it is safe to remove creator owner and in my experience it is as I do--I have two groups that I have one called mgr to which I add any user that will have full control and a sales group and give them only modify rights; that way the managers can deal with all issues related to permissions. So removing the creator owner group is OK and won't break usage of the files and folders--I have removed it on all my shared folders with no real issues.

Author Comment

ID: 40255909
Here is what I discovered on another site:

OWNER RIGHTS, which represents the current owner of a file or folder. Permissions assigned to this identity will set the permissions for the owner, overriding the owner’s implicit rights, including the right to change permissions. So the new best practice is to assign OWNER RIGHTS::Allow::Modify.

I interpretted this as if Owner Rights is assinged to the object then those permissions would override the Creator Owner permissions that are assigned to the same object.  However, in my testing it is not working that way.  If I leave Creator Owner permissions in place, along with Owner Rights, then the owner of the object can still change permissions.  Maybe I am interpretting the quote above wrong.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Accepted Solution

csimmons1324 earned 0 total points
ID: 40255952
My interpretation was correct and Owener Rights is working as described.  Upon rebooting the client PC it is working as intended.

Author Closing Comment

ID: 40265929
rhandels and lionelmm seemed to be correct that it is okay to remove the Creator Owner permissions.  However, I feel that it is best to leave Creator Owner permissions intact and use Owner Rights as MS intended to restrict the owner from changing permissions.

Expert Comment

by:Andrew Voytas
ID: 41477198
I have found that if I remove Creator Owner my users will constantly get a popup when trying to create a folder "You need permission from 'your alias here' " to create this folder. Basically telling them they need permissions from themselves. Then they click cancel and folder is created. As a work around I leave Creator Owner but change the permission to modify instead of leaving it full control. This has worked for me.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question