AD question for any AD gurus out there
We've come up against this at a customer site: Filr was unable to display the Net Folders properly for a certain group of users. Working with Novell, we figured out that the folders in that specific folder structure were assigned a GROUP as Owner; once we changed the ownership to a user and re-synched, Filr worked fine!
In my 20 years of working in the NetWare & OES universe, I have never come across a customer who has assigned file or folder ownership to a group, nor have I ever seen the need to. As per Microsoft's documentation, it is not the default behaviour:
By default, a new object's owner is the security principal identified as the default owner in the access token attached to the creating process. When an object is created, the SID stored in the access token's Owner field is copied to the security descriptor's Owner field. The default owner is normally an individual—the user who is currently logged on. The only exceptions occur when the user is a member of either the Administrators group or the Domain Admins group. In both cases, the Owner field in the user's access token contains the SID for the group, not the SID for the individual user account. The assumption is that administrative accounts are used only to administer the system and not for any individual purpose. As a result, objects created by one administrator can be managed by other administrators in the same group.
So my question: is this customer just doing something that is not recommended, that is against best practices? Is this a common practice in the AD/NTFS world?