| Author | Messages | |
dmitrig
Posts:59
 | | 07/16/2008 8:32 PM |
| This is a single concept. The actual creator SID is not retained in the SD, so this actually refers to the current owner. Now, in most cases owner does not change after object creation, which is why (I think) they called it Creator/Owner. Maybe calling it just Owner was considered too confusing.
It's a really weird SID. As far as I can see, it is *not* used in AccessChecks (as SELF is). But it is used in ACL inheritance. Here's what's going on. I am using LDP here.
Case 1. Add non-inheritable Creator/Owner ACE to an SD, and apply it. Creator/Owner ACE disappears, and it is replaced by the corresponding ACE which is granted to the current owner of the object. Changing the owner does not change this ACE.
Case 2. Add an inheritable Creator/Owner ACE to an SD, and apply it. The ACE is replaced with two ACEs: explicit ACE1 granted to the current owner, and inherit-only ACE2, granted to Creator/Owner. Again, changing owner does not affect the ACE1.
Case 3. Same setup as in case 2, but look at a child object. It also has two ACEs: one inherited ACE1, granted to the current owner, and another inherit-only ACE2 granted to C/O. Now, in this specific case, changing the owner of the object actually affects ACE1: it gets updated with the new owner.
It's pretty confusing...
Dmitri
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dean Wells
Sent: Thursday, June 12, 2008 1:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Change an object's CREATOR
<drivel follows> It's not so often these days that an assumed-understood technology raises a question that is so radically new to me that it leaves me at a loss for words; this is one of them. I found myself about to think out-loud, I opened my mouth (assuming that words would follow 'cause they typically do) and yet nothing came out. Having then given this about 5 minutes more of thought, I've concluded that one of two things is likely true -
1. I never knew this ... or have forgotten it - same thing from my standpoint
2. CREATOR/OWNER is a single term / the two elements combined are used to represent a single concept </drivel>
For the moment though (and after a little more dev-related research), my current feeling is that it is indeed the latter. Perhaps Dan, you've inferred a distinction between the two because the wording sorta' implies that there is.
Of course, this could also be one of those 'buried-in-the-assumed-details' things that I think I understand and actually don't.
Consider though the 'CREATOR/OWNER' security-principal whose commonplace definition is this -
S-1-3-0 - Creator Owner
A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.
To me, if the formal SID resolves to both words (and there's only one like this that I know of), that also lends some weight to my current conclusion.
Deano
--
Dean Wells
MSEtechnology
* Email: dwells@msetechnology.com<mailto:dwells@msetechnology.com>
http://msetechnology.com<http://msetechnology.com/>
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Thursday, June 12, 2008 8:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Change an object's CREATOR
I'm curious (specifically for NTFS objects) whether you can change the *CREATOR* (not the "owner") - the identity that inherits the permissions assigned to the "CREATOR OWNER" special identity.
This is for obvious reasons: when ownership of the file changes, I want to reassign that user's permissions to the new owner.
I'm NOT interested in "Owner Rights" here - I know that solves the problem - I'm wondering about pre 2008 servers.
THANKS IN ADVANCE!!
Dan
Dan Holme
dan.holme@intelliem.com
www.intelliem.com
Phone: 415.670.9360 (finds me)
Land: 808.573.0726
Mobile: 602.295.1692
| | | |
|
|