"Creator Owner" & "Owner Rights" Permissions in Server 2008 / 2012

Posted on 2014-08-11
Last Modified: 2016-02-23
I am setting up a new file server running Server 2012 R2.  I have created shares for each department.  For example, there is a Marketing share that only members of the Marketing group have modify access on.  In this example, Mike is a member of the marketing group and has modify access to the Marketing folder.  

My problem is that when Mike creates a folder / file within the Marketing folder that he is given Full Control of the object he created.  Mike can then go in and set permissions on that object.  I do not want to give Mike, or any other user,  the rights to change permissions on the objects that they create.

During my research it seems that Microsoft introduced the "Owner Rights" principal beginning in Server 2008 to which you can set NTFS permission upon.  I went ahead and added "Owner Rights" to the NTFS permissions on the Marketing folder and gave it Modify access.  My permissions are as follows:

- Administrators (Full Control of This folder, subfolders and files)
- System (Full Control of This folder, subfolders and files)
- Creator Owner (Full Control of Subfolders and files only)
- Marketing Group (Modify of this folder, subfolders and files)
- Owner Rights (Modify of Subfolders and files only)

The problem with these permissions is that Mike can still edit the permissions of files and folders that he creates.  If I remove "Creator Owner" then Mike can still create folders / files but he is no longer able to change the permissions on the item.  

It was my understanding that "Owner Rights" would take precedence over "Creator Owner" but I may be wrong.  If I am assigning "Owner Rights" to the Marketing share then is it safe to simply remove "Creator Owner"?
Question by:csimmons1324
    LVL 23

    Assisted Solution


    Nope.. Microsoft'v view on this is that, while giving permissions (not denying permissions) the setting with the most permissions will be applied.

    Also, it's the their general idea that a user who creates a file is the owner and therefore is entitled to give out permissions to those files and folders. The solution to this is quite easy (if you are the one who always wants to set permissions), just remove the Creator Owner user from the permissions tab. It has no other use than to give the creator of a folder the option to set permissions. Also, removing it will not effect your permissions strategy at all.
    LVL 24

    Assisted Solution

    You question is it is safe to remove creator owner and in my experience it is as I do--I have two groups that I have one called mgr to which I add any user that will have full control and a sales group and give them only modify rights; that way the managers can deal with all issues related to permissions. So removing the creator owner group is OK and won't break usage of the files and folders--I have removed it on all my shared folders with no real issues.

    Author Comment

    Here is what I discovered on another site:

    OWNER RIGHTS, which represents the current owner of a file or folder. Permissions assigned to this identity will set the permissions for the owner, overriding the owner’s implicit rights, including the right to change permissions. So the new best practice is to assign OWNER RIGHTS::Allow::Modify.

    I interpretted this as if Owner Rights is assinged to the object then those permissions would override the Creator Owner permissions that are assigned to the same object.  However, in my testing it is not working that way.  If I leave Creator Owner permissions in place, along with Owner Rights, then the owner of the object can still change permissions.  Maybe I am interpretting the quote above wrong.

    Accepted Solution

    My interpretation was correct and Owener Rights is working as described.  Upon rebooting the client PC it is working as intended.

    Author Closing Comment

    rhandels and lionelmm seemed to be correct that it is okay to remove the Creator Owner permissions.  However, I feel that it is best to leave Creator Owner permissions intact and use Owner Rights as MS intended to restrict the owner from changing permissions.
    LVL 1

    Expert Comment

    by:Andrew Voytas
    I have found that if I remove Creator Owner my users will constantly get a popup when trying to create a folder "You need permission from 'your alias here' " to create this folder. Basically telling them they need permissions from themselves. Then they click cancel and folder is created. As a work around I leave Creator Owner but change the permission to modify instead of leaving it full control. This has worked for me.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
    What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now