Sunday, February 20, 2011

The CREATOR OWNER Problem

This post describes the problem caused by the CREATOR OWNER permissions that are set by default in Windows Server 2003 on folders. Take the example here of the Human Resources folder and all of the subdirectories underneath it. This is sensitive data that we want to manage the permissions extremely carefully. The challenge with the CREATOR OWNER permission is that when a user creates a subfolder within a folder that contains this permission, the SID of that User is set to Full permissions on the new folder, even though we had given them only Modify permissions within the "Terminations" folder.




If we look at the security of the "DoneBYSSmith-CO-ON" folder, we can see that Windows Server 2003 has added an Access Control Entry for Sally Smith and given that user Full control.



This is not what we wanted, but Windows does it because the CREATOR OWNER permission was set at the parent folder as shown here.



What we need to do is remove the CREATOR OWNER at the top level folder where inheritance is turned off and then push it down to all of the child objects. The permissions should then look like this at the parent folder. When any user in the grp.Share.HumanResources.Modify group creates a folder, then they will not inherit full permissions, which is normally what we want. They will instead retain just the permissions granted by the group they belong to.



Beware the CREATOR OWNER SID.
Posted by at 1 comment:
Labels: , ,
Subscribe to: Posts (Atom)