AFF

Owner on newly created files and folders default to built-in\Administrators

thywyn222
9,305 Views

I'm trying to setup permissions for a CIFS share and we are on ONTAP 9.1p7.  It seems every CIFS share I create defaults to a behavior of all files and folders created by any user to be owned by local user group "built-in\Administrators".  I would like newly created files/folders to be owned by the creator. 

 

Google is not being helpful.. The only thing found was a reference to a 2008R2 and below  GPO, but that was depricated in 2012 and looks like ONTAP doesn't support it anyway. 

1 ACCEPTED SOLUTION

ManpreetS
9,078 Views

This is expected behaviour. Whenever you create file/folder using the user who is a member of Domain Admins group the owner for the file/folder will be domain Admins. Now, as domain admins is a part of builtin\administrator on storage, hence, we are mapping it to builtin\administrators.

Can be verified using below command:

::>cifs users-and-groups local-group show-members -vserver <vserver-name> -group-name BUILTIN\Administrators

If you would like to create a file/folder with owner as creator, then make sure that user is NOT a member of Domain Admin groups.

FYI: Member of Domain Admin groups can take/change ownership of any file/folder.

This is Microsoft client behaviour.

you can check refer below links:

https://blogs.technet.microsoft.com/sfu/2010/05/26/how-to-change-the-default-ownership-of-a-newly-created-file-on-windows/

https://support.microsoft.com/en-us/help/947721/a-group-policy-setting-is-not-available-in-the-security-policy-setting

 

 

 

View solution in original post

1 REPLY 1

ManpreetS
9,079 Views

This is expected behaviour. Whenever you create file/folder using the user who is a member of Domain Admins group the owner for the file/folder will be domain Admins. Now, as domain admins is a part of builtin\administrator on storage, hence, we are mapping it to builtin\administrators.

Can be verified using below command:

::>cifs users-and-groups local-group show-members -vserver <vserver-name> -group-name BUILTIN\Administrators

If you would like to create a file/folder with owner as creator, then make sure that user is NOT a member of Domain Admin groups.

FYI: Member of Domain Admin groups can take/change ownership of any file/folder.

This is Microsoft client behaviour.

you can check refer below links:

https://blogs.technet.microsoft.com/sfu/2010/05/26/how-to-change-the-default-ownership-of-a-newly-created-file-on-windows/

https://support.microsoft.com/en-us/help/947721/a-group-policy-setting-is-not-available-in-the-security-policy-setting

 

 

 

Public