[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Win 2k3 ownership of a file?

Posted on 2006-05-02
12
Medium Priority
?
321 Views
Last Modified: 2010-04-03
So we have a domain controller acting is our file server, and there are sensitive material that we need special permissions applied to. We have applied a manager as full access and the user associated with the folder read access. All other users do not have any type of access. Now I am confused about ownership of a file. Some files the user is the owner, while others the administrator is. What does that really mean? how will it affect things? If someone is an owner, but not listen in the security permissions, can they still view the folder with rw access? Who should be the owner? If we have so many folders


0
Comment
Question by:shankshank
  • 5
  • 5
  • 2
12 Comments
 

Expert Comment

by:mskarl
ID: 16590269
Object ownership allows the user to change permissions on the owned
object. The user who is the creator of a file or directory is usually the owner.
Users can’t give away ownership of their objects, but they can give other
users permission to take ownership. This prevents users from creating
objects and making them appear to be owned by another user.
Ownership of a file or directory can be taken by an Administrator without the
owner’s consent, but the Administrator can’t transfer ownership to others.
Administrators cannot access private files without leaving some trails
behind, because after claiming ownership, Administrators cannot return
ownership to the original owner.
0
 
LVL 5

Author Comment

by:shankshank
ID: 16590316
But i was able to transfer ownership to other users' and to return the ownership to the original user aftere i had taken it over
0
 

Expert Comment

by:mskarl
ID: 16591023
If you are logged in as an administrator then that is correct.  It should not be the same if you are logged in as a user.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 6

Expert Comment

by:ian_chard
ID: 16594035
Hi,

Firstly, the ownership of the file should make no difference to security permissions, the only problem you may have is if you want to deny any administrators access to the file, in which case you can remove the NTFS permissions for administrator to deny them access (provided creator owner has no permissions.)

The reason for the administrator having ownership of the file could be anything, from the administrator taking ownership to file permissions not being reapplied during restores, but to be honest as long as you have your NTFS permissions correct, ownership shouldn't really matter.

You can reset ownership (as well as access permissions to the file) from the command line using subinacl, which is part of the Win2K3 resource kit. Here's a quick sample file to reset ownership back to the user, but be careful with using this, if you don't have the syntax correct then it can reset ownership and NTFS permissions on everything!


set /p userin=Please enter user logon name:
start /wait subinacl.exe /noverbose /nostatistic /subdirectories \\SERVER\SERVERSHARE$\%USERIN%\* /Owner="%USERIN%" /Grant=%USERIN%=f /Grant="creator owner"=f /Grant="DOMAIN\Domain Admins"=f /Grant=system=f

So basically it will prompt you for the username, then reapply permissions for that user so they are the owner, have full control on the folder and subfolders, creator owner is given full control, domain admins are given full control, and system also gets full control. The /noverbose and /nostatistic gives no screen output.

Good luck!
Ian
0
 
LVL 5

Author Comment

by:shankshank
ID: 16596312
So in my case with sensitive employees data in their own folder where they should only have read access to, and their manager has write access to (keep track of user's vacation hours in excel sheets), then the owner can be anyone, but the NTFS security permissions are what should be accurate?
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16596726
Yes pretty much, but you may wish to reset the owner back to the user to be extra safe. You may also need to grant access to your backup account (if you use one) to make sure it can get to the files.

Apologies for the vagueness...got a migraine so my brain isn't functioning as it should today! LOL!

Cheers
Ian
0
 
LVL 5

Author Comment

by:shankshank
ID: 16630593
"but to be honest as long as you have your NTFS permissions correct, ownership shouldn't really matter. "

given this statement, if the owner was the user, then they could modify the permissions themselves, and grant them write access. Which is what we do not want. So given that, then the owner should not be the user, but someone else such as administrators
0
 
LVL 6

Accepted Solution

by:
ian_chard earned 2000 total points
ID: 16630803
Sorry, I should have clarified more. If the user is a user (as in not in the administrators groups), has ownership of the folders or files, but only has Modify permissions, they can not change the ownership or NTFS permissions on that file or folder, as their NTFS permissions shouldn't allow this.

To overcome any scenario where they can take ownership and grant permissions, you can implicitly deny Full Control and Take Ownership of the file to that user. As implicitly denied NTFS permissions overwrite any other permissions that user has they will 100% definitely not be able to take ownership of the files or change security.

There's a problem with giving the administrators ownership of the files that could arise if you are dealing with profiles and my documents. In this scenario a situation can arise (depening on GP settings) that if the administrator has ownership and not the end user, the folder redirection for that user may fail (as the ownership on these folders will be checked first and the user needs to be the owner.)

0
 
LVL 5

Author Comment

by:shankshank
ID: 16630817
Excellent. That makes sense, to actually specifiy DENIED rights

appreciate the help
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16630873
No problem. I hope I didn't confuse you to much...feeling confused myself now!

Cheers
Ian
0
 
LVL 5

Author Comment

by:shankshank
ID: 16630893
what you're confused! I'm gonna get a refund! hahah jk
0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16630925
LOL! Might be an idea! I think (if he could) my boss would ask for wages refunds every month!

Lesson learnt for me...don't try to post when you have a migraine and can't think!

Cheers
Ian
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question