diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
index ac540a0a72825356a095b9b68d58b5d019a705cb..edd396bb76c551e1d976aba97130abe2bb7d17de 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
@@ -102,6 +102,7 @@ import com.unboundid.ldap.sdk.SearchResult;
 import com.unboundid.ldap.sdk.SearchResultEntry;
 import com.unboundid.ldap.sdk.SearchScope;
 import com.unboundid.ldap.sdk.controls.ProxiedAuthorizationV2RequestControl;
+import java.util.logging.Level;
 
 public class LdapGroupDAO<T extends Principal> extends LdapDAO
 {
@@ -150,6 +151,22 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
             throw new IllegalArgumentException("Group owner must be specified");
         }
         
+        try
+        {
+            User<X500Principal> subjectUser = 
+                    userPersist.getMember(getSubjectDN());
+            if (!subjectUser.equals(group.getOwner()))
+            {
+                throw new AccessControlException("Group owner must be group " + 
+                                                 " creator");
+            }
+        }
+        catch (LDAPException e)
+        {
+            e.printStackTrace();
+            throw new RuntimeException(e);
+        }
+        
         try
         {
             getGroup(group.getID());