Microsoft KB Archive/245153

= INFO: Changing Ownership of a Securable Object =

Article ID: 245153

Article Last Modified on 11/21/2006

-

APPLIES TO

 Microsoft Win32 Application Programming Interface, when used with:  Microsoft Windows NT 4.0

 Microsoft Windows 2000 Standard Edition

 Microsoft Windows XP Professional 

-

<div class="notice_section">

This article was previously published under Q245153

<div class="summary_section">

SUMMARY
This article explains the WRITE_OWNER standard access right and the privileges for manipulating the owner of a security descriptor associated with a Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows XP securable object.

<div class="moreinformation_section">

MORE INFORMATION
If the calling user has the WRITE_OWNER standard access right granted in the Discretionary Access Control List (DACL), the system will grant write-owner access.

An object's owner implicitly has WRITE_OWNER access to the object even if the DACL does not have an explicit access granted. The owner can have full control over the corresponding Windows NT securable object. If the ownership of the object is modified, the calling user becomes the new owner. This overwrites the original owner of the object.

The write-owner standard access right allows a user to take ownership of a Windows NT securable object, but does not allow the user to change the ownership of a Windows NT securable object to a different account.

When a security identifier (SID) is specified that corresponds to an account that is different from that of the calling user, the SetSecurityDescriptorOwner function will succeed. If the security descriptor is associated with a Windows NT securable object, such as files that use the SetFileSecurity or SetPrinter function for printers, respectively, the API will fail. The corresponding function fails with a return value of FALSE, and when the application calls the GetLastError function, the function returns 1307 (ERROR_INVALID_OWNER).

Certain groups of users, such as Administrators and Backup Operators, have powerful privileges granted to override this default behavior.

If the calling user who is running the program is an Administrator, by default they have (SE_TAKE_OWNERSHIP) "Take ownership of files or other objects" User Right granted in the User Manager. The calling process can "enable" this SE_TAKE_OWNERSHIP privilege in the process token and set itself as the owner of an object. This process can be performed irrespective of the access rights granted in the DACL of the securable object.

If the calling user who is running the program is an Administrator or a Backup Operator, by default he or she has (SE_RESTORE_NAME) "Restore files and directories" User Right granted in the User Manager. The calling process can "enable" this SE_RESTORE_NAME privilege in the process token and can set any valid user or group SID as the owner of an object. This enables an Administrator or a Backup Operator to change the ownership of a Windows NT securable object.

Keywords: kbacl kbapi kbinfo kbkernbase kbsecurity KB245153

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.