NT Gatekeeper: Understand the Creator Owner Account

Get answers to your security-related NT questions

\[Editor's Note: Do you have a security-related question about Windows NT 4.0? Send it to [email protected], and you might see the answer in this column!\]

I observed some strange access control behavior while setting up ACLs. I have permission to create subfolders and files in the Routers folder, whose ACL Figure 1 shows. In Routers, I created a subfolder called 4000, whose ACL Figure 2 shows. Then, in 4000, I created a file called specifications.txt, whose ACL Figure 3 shows. Why does my account, MCapellas, have a Special Access (All)* (Not Specified) access control entry (ACE) in the subfolder's ACL? What does the asterisk in this ACE mean? Why is the Creator Owner ACE in the file's ACL gone?

The Creator Owner ACE is the key to answering your question. The Creator Owner account isn't a real account but rather a flag that the Windows NT 4.0 security system uses in a folder's ACL to build the ACLs of files and subfolders that users create in this folder. NT assigns the permissions that you assign to a folder's Creator Owner account to all accounts that create a new subfolder or file in that folder. Let's look more closely at how ACE inheritance works between parent and child objects.

Figures 1, 2, and 3 illustrate the Creator Owner account's role in building ACLs. Creator Owner has Full Control of the Routers folder and all folders and files in Routers, as Figure 1 shows. Remember that an object gets its initial ACL by inheriting a copy of its parent's ACL. NT's default ACL editor shows two sets of permissions next to each object. The first set—for example, the first (All) in Figure 1—applies to the object and its subfolders. The second set—for example, the second (All) in Figure 1—applies to newly created files that the folder contains.

Figure 2 shows the ACEs that NT sets when MCapellas creates a subfolder named 4000 in the Routers folder. The 4000 folder inherited Routers's ACL. Additionally, NT added an ACE for the folder's creator (i.e., Creator Owner), MCapellas. To build the ACE for MCapellas, NT used the parent folder's (i.e., Routers's) Creator Owner ACE.

The asterisk in 4000's MCapellas ACE means that new folders created in 4000 won't inherit the MCapellas Creator Owner ACE. The (Not Specified) portion of the ACE means that this ACE applies only to the folder object and not to any files or folders in it. This behavior is logical: The fact that, on the 4000 folder, MCapellas has an ACE that's equivalent to the Creator Owner ACE doesn't mean that he should have a similar ACE on any new folder or file created in 4000—certainly not when other accounts create such objects.

When MCapellas creates a new file in 4000, NT assigns MCapellas Full Control (All)—the equivalent of Creator Owner—permissions on the file, as Figure 3 shows. Note that because files aren't parent objects, the Creator Owner ACE doesn't appear in the file's ACL. When another user creates a file in 4000, NT will assign that user—not MCapellas—the Full Control (All) permission.

I've discussed only a particular aspect of ACLs and ACEs. For information about file and directory permissions, permission inheritance, and more, see Paula Sharick, "Securing Shared Resources," March 2001.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.