Windows Server Hacks: Transferring Ownership of Filesby Mitch Tulloch, author of Windows Server Hacks
When a user creates a new file on an NTFS volume, the user automatically becomes the owner of that file. The owner of a file has implicit permission to do anything with the file, including the ability to modify or delete it, or change its permissions. On the earlier Windows NT platform, the mantra was that you couldn't give ownership of a file to someone; you could only allow them to take ownership by granting them the Take Ownership special permission for that file. The reasoning behind this restriction was to prevent a situation where an administrator wanted to snoop around in users' home folders. For example, say Bob has a home folder where only he has assigned Full Control (Allow) permission over the contents of his folder. To prevent snooping by nosy admins, Bob has also assigned Full Control (Deny) permission to the Administrators group. Now, if an administrator could give ownership away, he could do something like this to cover his tracks:
- Take ownership of Bob's home directory and its contents.
- Snoop around.
- Give ownership of the directory back to Bob.
However, since the GUI in NT only allows users to take ownership, and not give it, the above procedure doesn't work (though there's a well-known workaround we'll look at in a moment).
Windows 2000 continued to enforce this restriction upon giving ownership in the GUI for that platform. To see this, let's consider a file named resume.doc that Bob created previously. If you log on using the default Administrator account and open the advanced permissions for this file, as expected, the Owner tab displays Bob as the file's owner, as shown in Figure 1:
Figure 1. Bob is currently the owner of the file (Windows 2000)
Note that the currently logged-on user (Administrator) can take ownership of the file if he likes. To do this, simply select Administrator under Name and click the Apply button. But having taken ownership of the file, there's no way in the GUI to give it back or assign it to someone else.
Windows Server 2003 provides a way to do just that, however. Figure 2 shows the same Owner tab as before, but this time we're using Windows Server 2003, not Windows 2000:
Figure 2. Bob is currently the owner of the file (Windows Server 2003)
Note the new button here, called Other Users and Groups. Using this button, the logged-on Administrator can not only take ownership of the file but also give ownership to someone else; for example, to Mary. Just click Other Users and Groups and specify Mary as the user as in Figure 3 below:
Figure 3. Select a user to give ownership of the file to
Then click OK, and Mary's account is displayed in the list of possible users to which you can give ownership, as shown in Figure 4:
Figure 4. Giving ownership of the file to Mary
With Mary's account selected, just click Apply and ownership is transferred from Bob to Mary.
Is the ability to assign ownership to a user really something new in Windows Server 2003? As far as the GUI goes, yes. But the ability to give ownership away has actually been in place in the file system since Windows NT days. There just wasn't any way of doing it using the GUI. Doing it from the command line is different, however; a utility called
subinacl that was first included in the Windows NT Server 4.0 Resource Kit has the capability of transferring ownership and doing a lot more.
subinacl is a powerful tool for directly manipulating the access control list (ACL) of a file or folder, and one of its many uses is to transfer ownership. For example, to transfer ownership of the file D:\resume.doc to user Mary above, you could do it as shown in Figure 5:
Figure 5. Giving ownership of the file to Mary using
We can verify this worked by viewing the Owner tab for the file as in Figure 6:
Figure 6. Ownership successfully transferred to Mary
subinacl can be downloaded from Microsoft's web site as a Windows Installer file (subinacl.msi), but note that this installs the utility in the C:\Program Files\Windows Resource Kits\Tools folder, so you may want to copy it to your
Consequences of Transferring Ownership
Return to WindowsDevCenter.com.