Hello, I tried to get the new SID OWNER RIGHTS working, but I failed. What I did: - Create a shared folder with the follwing DACL: C:\Users\standarduser>icacls C:\shares C:\shares OWNER RIGHTS : (OI)(CI)(M) NT AUTHORITY\SYSTEM : ( OI)(CI)(F) BUILTIN\Administrators : (OI)(CI)(F) BUILTIN\Users : (OI)(CI)(RX) BUILTIN\Users : (CI)(S,WD,AD) CREATOR OWNER : (OI)(CI)(IO)(F) - A standard user creates a folder underneath: C:\Users\standarduser>icacls "C:\shares\new folder"C:\shares\new folder OWNER RIGHTS : (I)(OI)(CI)(M) NT AUTHORITY\SYSTEM : (I)(OI)(CI)(F) BUILTIN\Administrators : (I)(OI)(CI)(F) BUILTIN\Users : (I)(OI)(CI)(RX) BUILTIN\Users : (I)(CI)(S,WD,AD) POWERSERVER\standarduser : (I)(F) CREATOR OWNER : (I)(OI)(CI)(IO)(F) The owner of the New Folder is standarduser. In my oppinion the standarduser should now be unable to change the DACL of this folder. But - he still is able to do so! What am I missing here? Thanks a lot for your help! Jrgen

Hello, It should be expected that Full Control permission is assigned to the folder creator and also the creator takes the ownership of folder. This ensures that the creator will be able to access and change all files underneath. Also by default the Creator Owner Group (with known SID: S-1-3-0) is granted the Full Control permission of the folder. The Creator Owner Group is a placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator. For the creator (standarduser) has been granted Full Control permission, he apparently can change the DACL of the folder. Hope it helps.

Hello, thanks a lot for your answer. Yes, meanwhile I figuered out that my mistake was to grant Full Access to the SID CREATOR OWNER. OWNER RIGHTS works only in the right way if it is added to an ACL with the CREATOR OWNER SID granted only Modify rights. Then it simply masks the built-in ability of the owner to change permissions.