0

I see folders with an owner of "OWNER CREATOR" and group of "DOMAIN\Domain Users". When I copy these files, the ownership is being transferred to me. That is not the behavior I want.

However, what does it mean for a folder to have an owner of "OWNER CREATOR"? This seems odd. I also noticed that this is not supported consistently between my local file-system versus various network file-systems. For example, NetApp seems to support this type of ownership but Isilon does not. Copying files to Isilon is causing problems.

RobertB
  • 103
  • 1
  • 4

3 Answers3

0

EVERY object in a Windows system (be it a file, a folder, a process, ...) has a both a security descriptor AND a current owner. The latter may be a group (e.g. "Administrators") or a single-user account.

A common security setting for both directories and printer queues is: "Users - Read/Write (or: Print), Owners-Creators: Full Access".

Does that mean, that the current owner of a specific directory has "Full Access"? No, not necessarily. BTW: In W2k8/WV there are "Owner Rights", but that is another topic!

Now: Does that mean, that a user, who stores a new file in such a directory, has "Full Control" over this file, despite the fact, he was given "Read/Write"? YES!!!

And why is that? "Read/Write" is for current (i.e. existing) files / directories only! For NEW files, THAT SPECIFIC user is now the Owner/Creator, who can determine which other users may (or may not) access this file, and to which extend.

To preserve permissions when files and folders are copied or moved, use the Xcopy.exe utility with the /O or the /X switch.

Berlin
  • 382
  • 1
  • 4
  • 14
  • Yes, it makes sense to me if I'm granting permissions to Owner Creator. However, what does it mean if "Owner Creator" **is** the owner? It seems to me that this implies that there is no owner. – RobertB May 10 '17 at 22:36
  • I think you mean "Creator Owner". It doesn't actually own the resource; whoever created it is the owner. Think of creator owner like a sticky bit in linux. When new files or subfolders are created, the Creator Owner thing acts as a template for setting the permissions for the person who created the resource. At least that's my understanding. – pgoetz Nov 03 '21 at 15:05
0

The permissions support tied to a file is dependent on the file system that you have formatted your storage with. When coping files between two different file systems, the host system you use may be significant. You did not specify what file system you network storage was using, but that would help to give better answers.

NTFS

NTFS uses Owners, and ACLs with sub entries for other users. You can have several users or groups that have any combination of permissions to a file.

https://technet.microsoft.com/en-us/library/2005.11.howitworksntfs.aspx

EXT3, EXT4, etc.

Most linux/Unix built file systems are built around one user (Owner), one group, and everyone else (other).

Cory Knutson
  • 1,866
  • 12
  • 20
  • Local: NTFS; NetApp: Mixed with NTFS acls; Isilon: OneFS (multiproticol) with NTFS acls. If the source is from anywhere to anywhere else, it will change the owner from OWNER CREATOR to an actual sid. With the exception of OneFS - it can't be the source of such a folder since I cannot create a folder with "OWNER CREATER" as the owner in the first place. – RobertB May 10 '17 at 22:34
0

In case people are wondering, after research with Microsoft, the following is the best I can explain what is going on.

CREATOR OWNER is a group. It has a SID. Thus, it can be assigned as an Owner of a File or Folder.

CREATOR OWNER has special meaning when used in an Access Control Entry (ACE). In that context, it's permissions apply to the SID of the Owner and not to the CREATOR OWNER SID itself.

It has no special meaning when used as an Owner. So in that context, it is just a SID for a group with no members.

If you assign CREATOR OWNER as the Owner, you are doing something that is allowed, but is not very useful. In this case, any CREATOR OWNER permissions from ACEs will apply to the CREATOR OWNER SID. Since this SID is a group with no members, the CREATOR OWNER privileges never apply.

IF CREATOR OWNER is the Owner and there are no CREATOR OWNER privileges, this is the same as if the file were owned by any other member-less group.

RobertB
  • 103
  • 1
  • 4