INFO: Changing Ownership of a Securable Object (245153)


The information in this article applies to:

  • Microsoft Win32 Application Programming Interface (API), when used with:
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows XP
This article was previously published under Q245153

SUMMARY

This article explains the WRITE_OWNER standard access right and the privileges for manipulating the owner of a security descriptor associated with a Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows XP securable object.

MORE INFORMATION

If the calling user has the WRITE_OWNER standard access right granted in the Discretionary Access Control List (DACL), the system will grant write-owner access.

An object's owner implicitly has WRITE_OWNER access to the object even if the DACL does not have an explicit access granted. The owner can have full control over the corresponding Windows NT securable object. If the ownership of the object is modified, the calling user becomes the new owner. This overwrites the original owner of the object.

The write-owner standard access right allows a user to take ownership of a Windows NT securable object, but does not allow the user to change the ownership of a Windows NT securable object to a different account.

When a security identifier (SID) is specified that corresponds to an account that is different from that of the calling user, the SetSecurityDescriptorOwner function will succeed. If the security descriptor is associated with a Windows NT securable object, such as files that use the SetFileSecurity or SetPrinter function for printers, respectively, the API will fail. The corresponding function fails with a return value of FALSE, and when the application calls the GetLastError function, the function returns 1307 (ERROR_INVALID_OWNER).

Certain groups of users, such as Administrators and Backup Operators, have powerful privileges granted to override this default behavior.

If the calling user who is running the program is an Administrator, by default they have (SE_TAKE_OWNERSHIP) "Take ownership of files or other objects" User Right granted in the User Manager. The calling process can "enable" this SE_TAKE_OWNERSHIP privilege in the process token and set itself as the owner of an object. This process can be performed irrespective of the access rights granted in the DACL of the securable object.

If the calling user who is running the program is an Administrator or a Backup Operator, by default he or she has (SE_RESTORE_NAME) "Restore files and directories" User Right granted in the User Manager. The calling process can "enable" this SE_RESTORE_NAME privilege in the process token and can set any valid user or group SID as the owner of an object. This enables an Administrator or a Backup Operator to change the ownership of a Windows NT securable object.
Modification Type:MajorLast Reviewed:12/17/2003
Keywords:kbACL kbAPI kbinfo kbKernBase kbSecurity KB245153
©2003 Microsoft Corporation. All rights reserved.