WindowsDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


AddThis Social Bookmark Button
Windows Server Hacks

Windows Server Hacks: Transferring Ownership of Files

by Mitch Tulloch, author of Windows Server Hacks
07/06/2004

When a user creates a new file on an NTFS volume, the user automatically becomes the owner of that file. The owner of a file has implicit permission to do anything with the file, including the ability to modify or delete it, or change its permissions. On the earlier Windows NT platform, the mantra was that you couldn't give ownership of a file to someone; you could only allow them to take ownership by granting them the Take Ownership special permission for that file. The reasoning behind this restriction was to prevent a situation where an administrator wanted to snoop around in users' home folders. For example, say Bob has a home folder where only he has assigned Full Control (Allow) permission over the contents of his folder. To prevent snooping by nosy admins, Bob has also assigned Full Control (Deny) permission to the Administrators group. Now, if an administrator could give ownership away, he could do something like this to cover his tracks:

  1. Take ownership of Bob's home directory and its contents.
  2. Snoop around.
  3. Give ownership of the directory back to Bob.

However, since the GUI in NT only allows users to take ownership, and not give it, the above procedure doesn't work (though there's a well-known workaround we'll look at in a moment).

Windows 2000 continued to enforce this restriction upon giving ownership in the GUI for that platform. To see this, let's consider a file named resume.doc that Bob created previously. If you log on using the default Administrator account and open the advanced permissions for this file, as expected, the Owner tab displays Bob as the file's owner, as shown in Figure 1:

Figure 1
Figure 1. Bob is currently the owner of the file (Windows 2000)

Note that the currently logged-on user (Administrator) can take ownership of the file if he likes. To do this, simply select Administrator under Name and click the Apply button. But having taken ownership of the file, there's no way in the GUI to give it back or assign it to someone else.

Windows Server 2003 provides a way to do just that, however. Figure 2 shows the same Owner tab as before, but this time we're using Windows Server 2003, not Windows 2000:

Figure 2
Figure 2. Bob is currently the owner of the file (Windows Server 2003)

Note the new button here, called Other Users and Groups. Using this button, the logged-on Administrator can not only take ownership of the file but also give ownership to someone else; for example, to Mary. Just click Other Users and Groups and specify Mary as the user as in Figure 3 below:

Figure 3
Figure 3. Select a user to give ownership of the file to

Then click OK, and Mary's account is displayed in the list of possible users to which you can give ownership, as shown in Figure 4:

Figure 4
Figure 4. Giving ownership of the file to Mary

With Mary's account selected, just click Apply and ownership is transferred from Bob to Mary.

subinacl

Is the ability to assign ownership to a user really something new in Windows Server 2003? As far as the GUI goes, yes. But the ability to give ownership away has actually been in place in the file system since Windows NT days. There just wasn't any way of doing it using the GUI. Doing it from the command line is different, however; a utility called subinacl that was first included in the Windows NT Server 4.0 Resource Kit has the capability of transferring ownership and doing a lot more. subinacl is a powerful tool for directly manipulating the access control list (ACL) of a file or folder, and one of its many uses is to transfer ownership. For example, to transfer ownership of the file D:\resume.doc to user Mary above, you could do it as shown in Figure 5:

Figure 5
Figure 5. Giving ownership of the file to Mary using subinacl.exe

We can verify this worked by viewing the Owner tab for the file as in Figure 6:

Figure 6
Figure 6. Ownership successfully transferred to Mary

subinacl can be downloaded from Microsoft's web site as a Windows Installer file (subinacl.msi), but note that this installs the utility in the C:\Program Files\Windows Resource Kits\Tools folder, so you may want to copy it to your %SystemRoot%\System32 folder to put the command in your default command path.

Consequences of Transferring Ownership

One final word on transferring ownership: be careful. Your company's privacy policy may prevent you, as administrator, from viewing users' files without their knowledge, so don't go around taking ownership without first obtaining proper consent or informing management of the reasons for your action. Technically, you can easily cover your tracks when snooping around users' home directories like this, but legally, you may be on dangerous ground if you do so without proper permission.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to WindowsDevCenter.com.