Odd discrepancy in display of NTFS settings

[Guest Bryan L]

I have been using folder redirection in my domain for some time and recently

used article 288991 to ensure that I was following best practices for

securing the redirected folders. The domain controller and the server

hosting the redirected share are both running Server 2003, all clients are

XP Pro SP2. I want to grant Domain Admins, SYSTEM, and CREATOR OWNER full

access to redirected folders. This should ensure that users have exclusive

access to their folders with the exception that Domain Admins also have full

access. Share permissions are set to Everyone: Full Control.

 

The odd behavior is observed when I try to set/check the permissions for

CREATOR OWNER. Per the article, I have granted CREATOR OWNER Full Control

over the Redirected folder, but when I check the ACL on the Redirected

folder, all checkboxes for CREATOR OWNER are clear except for Special

Permissions. However, if I click Advanced, select CREATOR OWNER, and click

Edit to view the atomic permissions, CREATOR OWNER has Full Control -- every

single checkbox in the Allow column is selected. Also of possible note is

the fact that those permissions are being applied to Subfolders and Files

only. I once tried changing that to "This folder, subfolders and files" but

it had no effect on the permissions displayed for CREATOR OWNER on the

Security tab - they still show all checkboxes empty except for Special

Permissions.

 

I checked the ACL on specific users' subfolders and files under the

Redirected folder, and found the same discrepancy in how the ACL is

presented on the Security tab vs. the atomic permisions displayed under

Advanced. (The only difference was that the list of Allow checkboxes under

Advanced were greyed out, indicating they they were indeed inherited from an

upper-level parent.)

 

My question is, should I be concerned? I followed exactly the same

procedures when setting permissions for System and Domain Admins, and they

display as expected on the Security tab - only the CREATOR OWNER is acting

like this. It's been a couple of weeks now since I did this, but iirc, users

weren't getting the access they were supposed to have, so I had to add each

user to the ACL of their folder and grant them Full Control (but I can't

remember for sure). Should I test what happens if I remove myself from the

ACL of my own user folder, and see if the inherited CREATOR OWNER ACE is

still granting me full control, and my user experience with my redirected

folders is normal?

 

All thoughts appreciated -- thanks in advance.

 

Bryan