Beware of the 'Creator Owner' Security Object

I had a situation come up this week where a user was able to change the security on a file that they had created. This type of action was not desirable and I was having a hard time tracking down how this was happening. It turned out to be the following: User had modify permissions for the folder and subfolders so they were free to create and delete files. However, the CREATOR OWNER permission was also on the folder and was set to FULL CONTROL. Thus, when the user created a new file, they were the owner. As such, they were then given the ability to change the permissions. So, the gotcha is be careful how the CREATOR OWNER permission is used…and keep a watchful eye on curious users.

Networking Security and Compliance Windows 2003 Server Windows 2008 Server