Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 



Controlling Ownership in Windows


A Web Exclusive from Windows IT Pro
Jan De Clercq
Tech Corner
InstantDoc #98978
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Q: What is the exact meaning of ownership in the Windows OS? How can I control the ownership of Windows resources on my Windows XP and Windows Server 2003 systems?

A: At the center of the Windows authorization model sits the notion of Discretionary Access Control (DAC). DAC builds on object owners and object ownership and owes its name to the fact that it allows the owner of a Windows object-- such as a file, folder, registry key, or Active Directory (AD) object--to set permissions on that object at his/her proper discretion. This means that it is the object owner who ultimately controls which users can access the object. In Windows, the user who creates an object automatically becomes the owner of anything he or she creates.

Windows ownership is a very powerful concept. The owner owes his powers to the fact that Windows implicitly grants an object owner the read permissions and change permissions on the object. This means that the owner is always allowed to access the object, regardless of what the Access Control List (ACL) of the object says. Even if the ACL of an object includes an explicit deny Access Control Entry (ACE) for the owner’s user account, the owner can still access the object: He or she can get to the object’s ACL and override or simply remove the deny ACE. It is important to stress that the OS grants the above permissions implicitly: They do not show up in the ACL of the object. If you do detect explicit ACEs for the object owner in the ACL of an object, these are not related to the implicit owner permissions for an object, but to another mechanism, called ownership inheritance, which is used to set explicit ownership-related permissions on the parent object level (e.g., a folder or AD organizational unit--OU). Even though ownership is a powerful thing, the Windows ownership model is a bit crippled: This is because Windows doesn't implement a pure DAC model. Besides object owners, Windows also allows other accounts to control the permissions on Windows objects--the almighty Windows administrator accounts. These include the members of the local Administrators group, and the domain-level Domain Admins and Enterprise Admins groups, and also the Local System account. Windows typically assigns ownership to the user account of the object creator. If you create a new Word document for example, your user account will become the owner of the document. The owner of an object is represented by the owner’s user account SID in the object’s security descriptor. An object’s security descriptor is the Windows construct that holds an object’s access control and auditing settings, which also include the object’s ACL. You can find out the object owner in the Windows GUI from the Owner tab in the Advanced Security settings of an object, as Figure 1 shows. One notable exception to the rule of granting ownership to the user account of the object creator is when the creator is a member of the Administrators or Domain Admins group. In that case, the group account rather than the user account will get the ownership of the object. Assigning ownership to a group rather than to the individual that created the object is not a good thing from an accountability and traceability point-of-view. An administrator could leverage it to hide his/her object creation tracks. That is why in XP and Windows 2003, Microsoft includes a configurable option to control the above behavior. The setting is included in the Group Policy Object (GPO) Security Options and is called “System objects: default owner for objects created by members of Administrators group.” The allowed settings for this option are “Administrators group” or “Object creator”. This GPO setting affects the nodefaultadminowner (REG_DWORD) registry value located in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa registry key. The supported values are 0 for Administrators group, or 1 for Object creator. When you change this setting a Windows restart is required to effectively apply the setting. . . .

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

More fun TechEd 2005 Resources

Kevin points out some more TechEd resources ...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

User Provisioning and Access Control

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing