Derek Schauland explains the new identity called Owner Rights in Windows Server 2008 that allows an administrator to limit the default permissions set by the creator/owner of an object.
Using the Creator Owner permissions in Windows allows a person who creates an object to set the permissions for it. For example, if the IT manager is working on confidential documents about business and IT policy and wants to allow others in different business units or departments to access them, she can select any groups or users she wants. At the same time, she can also restrict access to those she wants to exclude. Sometimes this works OK, but it can be a problem if the Creator Owner of a document leaves the organization or is reassigned and no longer has access to the target object.
In previous versions of Windows, up until Windows Server 2008, using an SMB share (Server Message Block protocol) for permissions and changing them from full control to modify was the best way this could be corrected. However, SMB share permissions are not as restrictive as NTFS (NT File System) permissions, which may introduce other issues.
Windows Server 2008 introduces a new, built-in identity called Owner Rights that allows the creator/owner of the document to be overridden by an administrator. To add this feature to a document or object, you simply need to add an entry to the access control list (ACL) for the object, specifying owner rights. To do so, complete the following steps:
- Right-click the object for which you want to change the access control list and choose Properties.
- Choose the Security tab on the dialog box for the object.
- Below the Group or User Names box, click Add.
- In the Browse for Groups or Users selection box, enter Owner Rights and click OK.
- Assign Owner Rights to Modify permission not to Full Control permission.
- Click OK on the object's Properties dialog box.
With this addition to the ACL, when the owner of the object attempts to change permissions, one of two things will happen. Depending on the operating system this user is running and the permissions associated with the user account, the permissions information may be disabled or an "access denied" message will appear when he or she tries to make a change.
What happens if the owner cannot change the permissions on a file?
Windows Server 2008 has provisions for this situation. Basically any users including an admin can lock themselves out of any object; however, users who are also members of the administrators group can assign ownership back to the domain administrators group, allowing any member (including the original owner) to modify the ownership of the object.
If you are a member of the administrators group, even though you can lock yourself out of being able to change permissions or see an object, your other rights will allow you to correct the action.
With these new features, it is likely that business policy and IT security policy will become a bit more closely related and work a little better for everyone.