Win 2k3 ownership of a file?

So we have a domain controller acting is our file server, and there are sensitive material that we need special permissions applied to. We have applied a manager as full access and the user associated with the folder read access. All other users do not have any type of access. Now I am confused about ownership of a file. Some files the user is the owner, while others the administrator is. What does that really mean? how will it affect things? If someone is an owner, but not listen in the security permissions, can they still view the folder with rw access? Who should be the owner? If we have so many folders


LVL 5
shankshankAsked:
Who is Participating?
 
ian_chardConnect With a Mentor Commented:
Sorry, I should have clarified more. If the user is a user (as in not in the administrators groups), has ownership of the folders or files, but only has Modify permissions, they can not change the ownership or NTFS permissions on that file or folder, as their NTFS permissions shouldn't allow this.

To overcome any scenario where they can take ownership and grant permissions, you can implicitly deny Full Control and Take Ownership of the file to that user. As implicitly denied NTFS permissions overwrite any other permissions that user has they will 100% definitely not be able to take ownership of the files or change security.

There's a problem with giving the administrators ownership of the files that could arise if you are dealing with profiles and my documents. In this scenario a situation can arise (depening on GP settings) that if the administrator has ownership and not the end user, the folder redirection for that user may fail (as the ownership on these folders will be checked first and the user needs to be the owner.)

0
 
mskarlCommented:
Object ownership allows the user to change permissions on the owned
object. The user who is the creator of a file or directory is usually the owner.
Users can’t give away ownership of their objects, but they can give other
users permission to take ownership. This prevents users from creating
objects and making them appear to be owned by another user.
Ownership of a file or directory can be taken by an Administrator without the
owner’s consent, but the Administrator can’t transfer ownership to others.
Administrators cannot access private files without leaving some trails
behind, because after claiming ownership, Administrators cannot return
ownership to the original owner.
0
 
shankshankAuthor Commented:
But i was able to transfer ownership to other users' and to return the ownership to the original user aftere i had taken it over
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
mskarlCommented:
If you are logged in as an administrator then that is correct.  It should not be the same if you are logged in as a user.
0
 
ian_chardCommented:
Hi,

Firstly, the ownership of the file should make no difference to security permissions, the only problem you may have is if you want to deny any administrators access to the file, in which case you can remove the NTFS permissions for administrator to deny them access (provided creator owner has no permissions.)

The reason for the administrator having ownership of the file could be anything, from the administrator taking ownership to file permissions not being reapplied during restores, but to be honest as long as you have your NTFS permissions correct, ownership shouldn't really matter.

You can reset ownership (as well as access permissions to the file) from the command line using subinacl, which is part of the Win2K3 resource kit. Here's a quick sample file to reset ownership back to the user, but be careful with using this, if you don't have the syntax correct then it can reset ownership and NTFS permissions on everything!


set /p userin=Please enter user logon name:
start /wait subinacl.exe /noverbose /nostatistic /subdirectories \\SERVER\SERVERSHARE$\%USERIN%\* /Owner="%USERIN%" /Grant=%USERIN%=f /Grant="creator owner"=f /Grant="DOMAIN\Domain Admins"=f /Grant=system=f

So basically it will prompt you for the username, then reapply permissions for that user so they are the owner, have full control on the folder and subfolders, creator owner is given full control, domain admins are given full control, and system also gets full control. The /noverbose and /nostatistic gives no screen output.

Good luck!
Ian
0
 
shankshankAuthor Commented:
So in my case with sensitive employees data in their own folder where they should only have read access to, and their manager has write access to (keep track of user's vacation hours in excel sheets), then the owner can be anyone, but the NTFS security permissions are what should be accurate?
0
 
ian_chardCommented:
Yes pretty much, but you may wish to reset the owner back to the user to be extra safe. You may also need to grant access to your backup account (if you use one) to make sure it can get to the files.

Apologies for the vagueness...got a migraine so my brain isn't functioning as it should today! LOL!

Cheers
Ian
0
 
shankshankAuthor Commented:
"but to be honest as long as you have your NTFS permissions correct, ownership shouldn't really matter. "

given this statement, if the owner was the user, then they could modify the permissions themselves, and grant them write access. Which is what we do not want. So given that, then the owner should not be the user, but someone else such as administrators
0
 
shankshankAuthor Commented:
Excellent. That makes sense, to actually specifiy DENIED rights

appreciate the help
0
 
ian_chardCommented:
No problem. I hope I didn't confuse you to much...feeling confused myself now!

Cheers
Ian
0
 
shankshankAuthor Commented:
what you're confused! I'm gonna get a refund! hahah jk
0
 
ian_chardCommented:
LOL! Might be an idea! I think (if he could) my boss would ask for wages refunds every month!

Lesson learnt for me...don't try to post when you have a migraine and can't think!

Cheers
Ian
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.