"CREATOR OWNER" NTFS group always has special permissions in windows
I was working on setting up a network share (see below story) and I ran into some odd behavior with NTFS permissions. The "CREATOR OWNER" object seems to only be able to list "Special" permissions in the "Security tab". No matter what I do, the system reverts back to this setting. Is there a way to get the "CREATOR OWNER" entry to list anything other than Special in the security tab? It would make checking for permission mistakes so much easier since I wouldn't have to dive into the Advanced Tab to see what permissions I set for this group. This is on Windows 7 client connecting to a Windows Server 2008 share.
Bonus Question:
I also would like to know why the "CREATOR OWNER" group can't apply permissions to "This folder". This seems like a weird quirk of this group that must have a story behind why it was setup this way.
I did some searching and found the "How Permissions Work" technet article. I browsed through looking for information on the "OWNER" permission and only found some information on how that permission works.
[Background Story]
So I have a network share where users will create a folder to store their work on a particular project. Files in each user's folder are private due to the parameters given to me by the project managers. On top of that parameter, the users of this folder will change constantly though the year, some for only a few days. So to make the administrative overhead as low as possible, I setup the permissions as follows:
- Users Group - Allow - List folder contents
- Users Group - Allow - Write
- CREATOR OWNER - Allow - Modify
I set the permissions, Hit OK, and everything works. Later, when I come back to add the content manager group to the Security tab I notice something odd. The "CREATOR OWNER" entry has switched from Modify to Special. I go into Advanced permissions and I notice that the "CREATOR OWNER" only applies to "Subfolders and files only". I then try to reset the "Apply To" drop down to "This folder, subfolders, and files" but it switches back as soon as I hit "Apply".
Thanks
Solution 1:
CREATOR OWNER access control entries should always be inherit-only, because it doesn't make sense for them to apply to any actual object. When using recent versions of Windows with the modern API, all CREATOR OWNER entries are automatically marked inherit-only.
In the advanced GUI, the inherit-only flag translates as "Subfolders and files only". Changing it to "This folder, subfolders and files" would have the effect of clearing the inherit-only flag, which can't be done for CREATOR OWNER. The basic GUI should probably not be showing this as Special, but I guess MS didn't think of this special case.
Solution 2:
CREATOR OWNER is primarily for dynamic permissioning as people create stuff in a folder that they have conventional rights to rather than lazy permissioning. If you think of it in this way the concept might make more sense.