"Creator Owner" & "Owner Rights" Permissions in Server 2008 / 2012

I am setting up a new file server running Server 2012 R2.  I have created shares for each department.  For example, there is a Marketing share that only members of the Marketing group have modify access on.  In this example, Mike is a member of the marketing group and has modify access to the Marketing folder.  

My problem is that when Mike creates a folder / file within the Marketing folder that he is given Full Control of the object he created.  Mike can then go in and set permissions on that object.  I do not want to give Mike, or any other user,  the rights to change permissions on the objects that they create.

During my research it seems that Microsoft introduced the "Owner Rights" principal beginning in Server 2008 to which you can set NTFS permission upon.  I went ahead and added "Owner Rights" to the NTFS permissions on the Marketing folder and gave it Modify access.  My permissions are as follows:

- Administrators (Full Control of This folder, subfolders and files)
- System (Full Control of This folder, subfolders and files)
- Creator Owner (Full Control of Subfolders and files only)
- Marketing Group (Modify of this folder, subfolders and files)
- Owner Rights (Modify of Subfolders and files only)

The problem with these permissions is that Mike can still edit the permissions of files and folders that he creates.  If I remove "Creator Owner" then Mike can still create folders / files but he is no longer able to change the permissions on the item.  

It was my understanding that "Owner Rights" would take precedence over "Creator Owner" but I may be wrong.  If I am assigning "Owner Rights" to the Marketing share then is it safe to simply remove "Creator Owner"?
csimmons1324IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rhandelsCommented:
Hey,

Nope.. Microsoft'v view on this is that, while giving permissions (not denying permissions) the setting with the most permissions will be applied.

Also, it's the their general idea that a user who creates a file is the owner and therefore is entitled to give out permissions to those files and folders. The solution to this is quite easy (if you are the one who always wants to set permissions), just remove the Creator Owner user from the permissions tab. It has no other use than to give the creator of a folder the option to set permissions. Also, removing it will not effect your permissions strategy at all.
1
Lionel MMSmall Business IT ConsultantCommented:
You question is it is safe to remove creator owner and in my experience it is as I do--I have two groups that I have one called mgr to which I add any user that will have full control and a sales group and give them only modify rights; that way the managers can deal with all issues related to permissions. So removing the creator owner group is OK and won't break usage of the files and folders--I have removed it on all my shared folders with no real issues.
0
csimmons1324IT ManagerAuthor Commented:
Here is what I discovered on another site:

OWNER RIGHTS, which represents the current owner of a file or folder. Permissions assigned to this identity will set the permissions for the owner, overriding the owner’s implicit rights, including the right to change permissions. So the new best practice is to assign OWNER RIGHTS::Allow::Modify.

I interpretted this as if Owner Rights is assinged to the object then those permissions would override the Creator Owner permissions that are assigned to the same object.  However, in my testing it is not working that way.  If I leave Creator Owner permissions in place, along with Owner Rights, then the owner of the object can still change permissions.  Maybe I am interpretting the quote above wrong.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

csimmons1324IT ManagerAuthor Commented:
My interpretation was correct and Owener Rights is working as described.  Upon rebooting the client PC it is working as intended.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
csimmons1324IT ManagerAuthor Commented:
rhandels and lionelmm seemed to be correct that it is okay to remove the Creator Owner permissions.  However, I feel that it is best to leave Creator Owner permissions intact and use Owner Rights as MS intended to restrict the owner from changing permissions.
0
Andrew VoytasSystems Support Analyst IVCommented:
I have found that if I remove Creator Owner my users will constantly get a popup when trying to create a folder "You need permission from 'your alias here' " to create this folder. Basically telling them they need permissions from themselves. Then they click cancel and folder is created. As a work around I leave Creator Owner but change the permission to modify instead of leaving it full control. This has worked for me.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.