Remote Support Software

Provide instant remote support to customers and employees:

Click here for a free trial

Why are OWNER/CREATOR Permissions entered this way?

Hi Folks,
Given the choice, Windows will set file permissions that give the explicit owner permissions in "This Folder Only" and then give "OWNER/CREATOR" the same permissions for "Subfolders and Files only". From my point of view, it looks to me that
the explicit owner is getting permissions on "This Folder, Subfolders and Files". So why are the permission divide this way? Can anybody tell me a difference between them or explain why Windows does things this way?Thanks for the help,

Chris.

There is an amazing pack of free network admin tools. click here to download it






June 12th, 2012 1:35pm
Hi,

The Owner of the object is not the same thing as the Creator Owner built-in group available when applying security in NTFS and Active Directory. However, the Creator Owner group does allow administrators
to assign specific permissions to the Owner so that they may read, write, or modify an object they would otherwise not have access to. The need for this type of configuration is very limited in scope.
For more details, please go through the below links:

Creator Owner Explained


http://networkadminkb.com/KB/a80/creator-owner-explained.aspx


CREATOR OWNER entry in NTFS Security


http://www.edugeek.net/forums/windows/62502-creator-owner-entry-ntfs-security.html

Regards,
Yan LiYan Li
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta






June 15th, 2012 12:22am
Hi Chris!
To be straight, I found Yan Li's answer to your question a bit confusing -- but in no way incorrect.
I try to explain the issue in other words, and hope that it will help better.
EVERY object in a Windows system (be it a file, a folder, a process, ...) has a both a security descriptor AND a _current_ owner. The latter may be a group (e.g. "Administrators") or a single-user account.
A common security setting for both directories and printer queues is: "Users - Read/Write (or: Print), Owners-Creators: Full Access".
Does that mean, that the _current_ owner of a specific directory has "Full Access"? No, not necessarily. BTW: In W2k8/WV there are "Owner Rights", but that is another topic!
Now: Does that mean, that a user, who stores a new file in such a directory, has "Full Control" over this file, despite the fact, he was given "Read/Write"? YES!!!
And why is that? "Read/Write" is for current (i.e. existing) files / directories only! For NEW files, THAT SPECIFIC user is now the Owner/Creator, who can determine which other users may (or may not) access this file, and to which extend.
The same applies for print jobs: with such settings, a specific user MAY NOT modify other user's print job, but has full control over her own!
Hope that helps...

There is an amazing pack of free network admin tools. click here to download it






June 15th, 2012 12:24pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics