Tuesday, 27 October 2009

Owner Rights Restrictions

W2K8 adds a new well-known security descriptor - Owner Rights (S-1-3-4).
This overrides the traditional owner rights that are granted to CREATOR OWNER on a file (such as being able to change the DACL).

This is useful in an AD delegation model where you want a group to be able to create but not delete objects. Under the old model, they'd be able to delete those that they created. This new SID allows you to prevent that behaviour.

Owner rights will only work when all DCs are running W2K8. Otherwise the Owner Rights ACE is ignored by down-level DCs.

See this link for a good description of how to use Owner Rights:

No comments:

Post a Comment