This article is about the NTFS permission Creator Owner.
First you will find a short introduction into NTFS permissions and a description of the Creator Owner authorisation.
Learn about the possible risks of changing the permissions of a user and how you can avoid them.
What are Creator Owner Groups Used For?
The Creator Owner permission serves as a template. This means that a user has the permission to create subdirectories or files in any folder you allow him to access. The user has the same permissions on the folder as the Creator Owner group has got on the „parent folder“ (higher directory).
Let’s take the folder „Accounting“. It serves as network share. The first screenshot below shows the Access Control List (ACL). Take care of the CREATOR OWNER permissions and on “Test-Group01” (screenshots 2&3).
In the second screenshot you can see the CREATOR OWNER group has full access to the accounting folder.
In our Test-Group01 there is a user from our domain DC01 called “Max Mustermann”. All users that are members of the group “Test-Group1” have special permissions on that folder. If Max Mustermann creates a new folder in the accounting folder, he will get CREATER OWNER permissions to that folder and also full access to the ownership of that new subdirectory. (Screenshots 4&5)
This is normal behaviour and set to standard for NTFS by Microsoft. But it may also have some disadvantages in bigger company networks.
Let’s have a look at the example above and imagine we are in a company with 20,000+ users. Now Max Mustermann creates a subfolder “sensitive data” below the ACCOUNTING folder: He automatically gets CREATOR OWNER permissions for the new subfolder. This means he becomes the owner of that folder and has full access to all its data in “sensitive data”.
Imagine Max Mustermann gets a new position in the company and loses the permission to access the data of the accounting folder. As a result read access to the folder has been removed. But he can read it, because he still has his creator ownership permissions on the subfolder “sensitive data”. This may lead to unauthorized access and security issues, because other standard group rules do not apply here.
If you do not change this, traceability and transparency can be easily lost.
Solution for CREATOR OWNER Settings
The problem can be solved easily.
Simply remove the creator owner permissions.
This way only general rules apply to the new subfolder “sensible data”. Users only get the inherited permissions to new subfolders or files and not the additional permissions from the OWNER CREATOR template. The best part of this solution is that it is easy to implement, because there are no further consequences.