Controlling Ownership in Windows
Learn the exact meaning of ownership in the Windows OS authorization model.
April 26, 2008
Q: What is the exact meaning of ownership in the Windows OS? How can I control the ownership of Windows resources on my Windows XP and Windows Server 2003 systems?
A: At the center of the Windows authorization model sits the notion of Discretionary Access Control (DAC). DAC builds on object owners and object ownership and owes its name to the fact that it allows the owner of a Windows object-- such as a file, folder, registry key, or Active Directory (AD) object--to set permissions on that object at his/her proper discretion. This means that it is the object owner who ultimately controls which users can access the object. In Windows, the user who creates an object automatically becomes the owner of anything he or she creates.
Windows ownership is a very powerful concept. The owner owes his powers to the fact that Windows implicitly grants an object owner the read permissions and change permissions on the object. This means that the owner is always allowed to access the object, regardless of what the Access Control List (ACL) of the object says. Even if the ACL of an object includes an explicit deny Access Control Entry (ACE) for the owner’s user account, the owner can still access the object: He or she can get to the object’s ACL and override or simply remove the deny ACE. It is important to stress that the OS grants the above permissions implicitly: They do not show up in the ACL of the object. If you do detect explicit ACEs for the object owner in the ACL of an object, these are not related to the implicit owner permissions for an object, but to another mechanism, called ownership inheritance, which is used to set explicit ownership-related permissions on the parent object level (e.g., a folder or AD organizational unit--OU). Even though ownership is a powerful thing, the Windows ownership model is a bit crippled: This is because Windows doesn't implement a pure DAC model. Besides object owners, Windows also allows other accounts to control the permissions on Windows objects--the almighty Windows administrator accounts. These include the members of the local Administrators group, and the domain-level Domain Admins and Enterprise Admins groups, and also the Local System account. Windows typically assigns ownership to the user account of the object creator. If you create a new Word document for example, your user account will become the owner of the document. The owner of an object is represented by the owner’s user account SID in the object’s security descriptor. An object’s security descriptor is the Windows construct that holds an object’s access control and auditing settings, which also include the object’s ACL. You can find out the object owner in the Windows GUI from the Owner tab in the Advanced Security settings of an object, as Figure 1 shows. One notable exception to the rule of granting ownership to the user account of the object creator is when the creator is a member of the Administrators or Domain Admins group. In that case, the group account rather than the user account will get the ownership of the object. Assigning ownership to a group rather than to the individual that created the object is not a good thing from an accountability and traceability point-of-view. An administrator could leverage it to hide his/her object creation tracks. That is why in XP and Windows 2003, Microsoft includes a configurable option to control the above behavior. The setting is included in the Group Policy Object (GPO) Security Options and is called “System objects: default owner for objects created by members of Administrators group.” The allowed settings for this option are “Administrators group” or “Object creator”. This GPO setting affects the nodefaultadminowner (REG_DWORD) registry value located in the HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa registry key. The supported values are 0 for Administrators group, or 1 for Object creator. When you change this setting a Windows restart is required to effectively apply the setting.
The default setting on XP is to grant ownership to the object creator. The default on Windows 2003 is to grant it to the Administrators group. In Windows 2000, Windows 2003, and XP the Administrators group is also the default owner of Windows files and folders. These include all files and folders that are created as part of the Windows installation process. A Windows account can take ownership of an object if it has the Take ownership permission on the object or if it has the “Take ownership of files or other objects” user right. A user is also explicitly granted take ownership permission if he or she is granted Full Control permission on an object. The take ownership user right is by default only given to members of the Administrators group. They can use it to take ownership of an object in the absence of explicit administrator object access permissions. The take ownership user right is typically used to bypass permissions when someone has intentionally or accidentally removed an administrator’s access permissions. It also ensures that files can be recovered by an administrator in the event that a user leaves the company. This explains why this is a highly sensitive user right that you should not give to ordinary users or services. Note that the actual change of ownership (it doesn’t matter if you leverage the take ownership permission, or the take ownership user right) is instigated by the new owner of the object. So typically, the actual owner of the object first gives another user the take ownership permission on an object, which then allows this user to seize ownership of the object. To give another user the take ownership permission, you must use the advanced view of the object’s ACL editor.
You can use the same interface to seize ownership of an object. For example, to transfer ownership of a folder named New Folder to your Alice user account, select the Edit button on the ACL editor’s advanced view Owner tab, select your Alice account using the Other Users and Groups button, select Alice’s account as the new owner, and click Apply. This process is illustrated in Figure 2 . If you're an administrator and you want to assign the ownership directly to some other account users you must - besides the take ownership permission or user right - also have the restore files and directories user right. This right is by default given to the Administrators, Backup Operators and Server Operator groups. Administrators can use this ability if they don’t trust their users to actually seize ownership of an object. This direct assignment of ownership is possible in XP and Windows 2003, but not in Windows 2000 (with the exception of an administrator assigning ownership to the Administrators group). If you have sufficient permissions, you can also change an object’s ownership from the command line using the icacls and takeown tools. Icacls can be used to transfer ownership to any account (provided this account and the account you use to transfer ownership have sufficient privileges). Takeown can be used only to seize ownership of your personal account or the Administrators group (If you are a member of this group). The icacls and takeown syntax are illustrated in Figure 3 for transferring and seizing ownership on a file named test.txt.
About the Author
You May Also Like