Windows

Control owner access rights in Windows Server 2008

Derek Schauland explains the new identity called Owner Rights in Windows Server 2008 that allows an administrator to limit the default permissions set by the creator/owner of an object.

Using the Creator Owner permissions in Windows allows a person who creates an object to set the permissions for it. For example, if the IT manager is working on confidential documents about business and IT policy and wants to allow others in different business units or departments to access them, she can select any groups or users she wants. At the same time, she can also restrict access to those she wants to exclude. Sometimes this works OK, but it can be a problem if the Creator Owner of a document leaves the organization or is reassigned and no longer has access to the target object.

In previous versions of Windows, up until Windows Server 2008, using an SMB share (Server Message Block protocol) for permissions and changing them from full control to modify was the best way this could be corrected. However, SMB share permissions are not as restrictive as NTFS (NT File System) permissions, which may introduce other issues.

Windows Server 2008 introduces a new, built-in identity called Owner Rights that allows the creator/owner of the document to be overridden by an administrator. To add this feature to a document or object, you simply need to add an entry to the access control list (ACL) for the object, specifying owner rights. To do so, complete the following steps:

  • Right-click the object for which you want to change the access control list and choose Properties.
  • Choose the Security tab on the dialog box for the object.
  • Below the Group or User Names box, click Add.
  • In the Browse for Groups or Users selection box, enter Owner Rights and click OK.
  • Assign Owner Rights to Modify permission not to Full Control permission.
  • Click OK on the object's Properties dialog box.

With this addition to the ACL, when the owner of the object attempts to change permissions, one of two things will happen. Depending on the operating system this user is running and the permissions associated with the user account, the permissions information may be disabled or an "access denied" message will appear when he or she tries to make a change.

What happens if the owner cannot change the permissions on a file?

Windows Server 2008 has provisions for this situation. Basically any users including an admin can lock themselves out of any object; however, users who are also members of the administrators group can assign ownership back to the domain administrators group, allowing any member (including the original owner) to modify the ownership of the object.

If you are a member of the administrators group, even though you can lock yourself out of being able to change permissions or see an object, your other rights will allow you to correct the action.

With these new features, it is likely that business policy and IT security policy will become a bit more closely related and work a little better for everyone.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

5 comments
ddjong67
ddjong67

Question: in windows 2003 when a user who is member of the administrators group creates a file, the owner SID of the file is (by default) the administrators group and not the user. To avoid this there is local security setting "Default owner of files created by administrator group" which can be set to "Object Creator". In 2008 this option is not there anymore. How can you achieve this behavior in windows server 2008? We need this in 2008. But in our 2008 environment it is still the administrators group and not the user SID. In Dynamics AX 2009, the importing user (in AIF) is taken from the owner of the file to be imported (file based integration). Any idea?

Derek Schauland
Derek Schauland

Controlling the access to both and object and object permissions could be very helpful for administrators. Is this a feature your organization will find useful?

Derek Schauland
Derek Schauland

You are correct, if the user is a member of the local admins group, the administrators group is made the owner of the file. If the users needing to access the file have the right access permissions, read/write/modify, they should still be able to use the files as needed. What happens when you import the file owned by the admins group?

john.light
john.light

I have used the SUBINACL and ICACLS programs to handle these kind of problems with much greater success and with less risk of screwing something else up.

Derek Schauland
Derek Schauland

Having used Subinacls before and rebuilding a machine because of it (oops) the new method seems more manageable to me. However I am sure as with all updates/features there will be hiccups here too.