Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Take Ownership - Allow or Prevent Users and Groups To



Take Ownership - Allow or Prevent Users and Groups To

How to Allow or Prevent Users and Groups to be able to Take Ownership
Published by Brink
05 Dec 2010
Published by

How to Allow or Prevent Users and Groups to be able to Take Ownership

information   Information
This will show you how to allow or prevent specific users and groups from being able to Take Ownership of items such as a file, folder, registry key, drive, or other objects in Vista, Windows 7, and Windows 8.

You will need to be logged in as administrator to be able to do this tutorial.

Note   Note
Default Users and Groups Allowed to Take Ownership
NOTE: This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

On All Computers: Administrators






OPTION ONE
Through Local Security Policy
1. Open the Local Security Policy window, expand Local Policies in the left pane, and select User Rights Assignment. (see screenshot below)
Take Ownership - Allow or Prevent Users and Groups To-step1.jpg
2. In the right pane of User Rights Assignment, double click on Take ownership of files or other objects. (see screenshot above)

3. Prevent Listed Users or Groups to be able to Take Ownership
A) Select (highlight) listed user(s) and/or group(s) that you do not want to be allowed to shut down the computer anymore, then click on the Remove button. (see screenshot below)
NOTE: You can press and hold the CTRL key to select more than one listed user and group.
Name:  Step2.jpg
Views: 3767
Size:  47.0 KB

Tip   Tip
To Only Prevent Specific Administrators
  • You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.

B) Click on Apply. (see screenshot below)
Name:  Step3.jpg
Views: 3677
Size:  42.9 KB
4. Allow Users or Groups to be able to Take Ownership
A) Click on the Add User or Group button. (see screenshot above)

B) To Change the Location to Search for "Object Types"

NOTE: This is only if you wanted to search for object types to allow from a location other than your local computer. If you only want to search from your computer, then skip this step and go to step 4C.
  • Click on the Locations button. (see screenshot below step 4C)
  • Select a location, and click on OK. (see screenshot below)
Name:  Location-1.jpg
Views: 3664
Size:  28.9 KB
C) Click on the Advanced button. (see screenshot below)
Name:  Add-1.jpg
Views: 3639
Size:  38.5 KB
D) Click on the Object Types button. (see screenshot below)
Name:  Add-2.jpg
Views: 3633
Size:  57.8 KB
E) Check all boxes or the "object types" (ex: Users or Groups) that you want to find and select from in step 4G, and click on OK. (see screenshot below)
Name:  Add-3.jpg
Views: 3612
Size:  32.3 KB
F) Click on the Find Now button. (see screenshot below)
Name:  Add-4.jpg
Views: 3611
Size:  58.1 KB
G) In the bottom pane under Search results, select the user account name(s) and/or groups that you want to be allowed to shut down the computer, then click on OK. (see screenshot below)
NOTE: You can press and hold the CTRL key to select more than one listed users (user account names) or group.
Take Ownership - Allow or Prevent Users and Groups To-add-5.jpg

Tip   Tip
To Only Allow Specific Administrators
  • You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.

H) Click on OK. (see screenshot below)
Name:  Add-6.jpg
Views: 3598
Size:  40.8 KB
I) Click on Apply. (see screenshot below)
Name:  Add-7.jpg
Views: 3592
Size:  45.0 KB
5. When finished, click on OK. (see screenshots below steps 3B and 4I)

6. Close the Local Security Policy window. (see screenshot below step 1)



OPTION TWO
Using an Elevated Command Prompt

NOTE: Be sure to write down changes you make to the user rights assignment so that you will know what you changed later. Please see the NOTE box at the top of the tutorial for the default user rights assignments.
1. If you have not already, click on the Download button below to download the ntrights.exe file originally from within the Windows Server 2003 Resource Kit Tools.
download

A) Save the ntrights.exe file to your desktop.

B) Right click on the ntrights.exe file, click on Properties, General tab, and click on the Unblock button if available. (see screenshot below)
NOTE: If you do not have a Unblock button under the General tab, then the file is already unblocked and you can continue on to step 1C.
Name:  Unblock.jpg
Views: 3623
Size:  71.2 KB
C) Right click on the ntrights.exe file and click on Move.

D) Open Windows Explorer and navigate to and open the C:\Windows\System32 folder, then Paste the ntrights.exe file to move it here.

E) If prompted, click on Continue and Yes to approve moving the ntrights.exe file into the System32 folder, then close the Windows Explorer window.
2. Open an elevated command prompt (Run as administrator).

3. Prevent Users or Groups to be able to Take Ownership
A) In the elevated command prompt type in the command below and press enter. (see screenshot below)
NOTE: Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to prevent.
ntrights -U "User or Group" -R SeTakeOwnershipPrivilege

Name:  CMD-Remove.jpg
Views: 3705
Size:  40.2 KB

Tip   Tip
To Only Prevent Specific Administrators
  • You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.

4. Allow Users or Groups to be able to Take Ownership
A) In the elevated command prompt type in the command below and press enter. (see screenshot below)
NOTE: Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to allow.
ntrights -U "User or Group" +R SeTakeOwnershipPrivilege

Name:  CMD-Add.jpg
Views: 3678
Size:  39.6 KB

Tip   Tip
To Only Allow Specific Administrators
  • You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.

5. When finished, close the elevated command prompt.
That's it,
Shawn




.

05 Dec 2010   #1
Combine

Windows 7 Ultimate 64 bits
 
 

But if the admin affected by this action go through the Local Security Policy and allow himself to Take Ownership of files or other objects????

My System SpecsSystem Spec
.

05 Dec 2010   #2
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

Hello Agustín,

Yes, an admin could do so, but only trusted people should be made admins.

This is mostly to be able to allow other groups or users other than admins to be able to Take Ownership though.
My System SpecsSystem Spec
06 Dec 2010   #3
Combine

Windows 7 Ultimate 64 bits
 
 

And there is a way to prevent other admins to take ownership? I mean the posibility of having a folder totally private that the permissions could not be modified after the taken ownership of that folder by another admin. Is that possible? I don't think so... by maybe there's a way, that is what I were looking into this tutorial.

By the way, the tutorial is really good.
My System SpecsSystem Spec
06 Dec 2010   #4
Brink
Microsoft MVP

64-bit Windows 8.1 Enterprise
 
 

You might try this below to keep the folder private.

http://www.sevenforums.com/tutorials...-software.html
My System SpecsSystem Spec
10 Dec 2010   #5
Combine

Windows 7 Ultimate 64 bits
 
 

Quote   Quote: Originally Posted by Brink View Post
You might try this below to keep the folder private.

http://www.sevenforums.com/tutorials...-software.html
I had read this post before. Is good, but here the trick is basic. It just allow a folder to be "seen" by the system as a protected operating system file, so if we uncheck the option refered to this in Folder Options and also the option that allow us to see the hidden files, the folder will appear on the screen.
My System SpecsSystem Spec
Comment

 Take Ownership - Allow or Prevent Users and Groups To




Tutorial Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:42 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33