Windows 7 - Take Ownership - Allow or Prevent Users and Groups To

   Information

This will show you how to allow or prevent specific users and groups from being able to Take Ownership of items such as a file, folder, registry key, drive, or other objects in Windows 7 and Vista.

You will need to be logged in as administrator to be able to do this tutorial.

   Note

Default Users and Groups Allowed to Take Ownership
NOTE: This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

On All Computers: Administrators

1. Open the Local Security Policy window, expand Local Policies in the left pane, and select User Rights Assignment. (see screenshot below)

2. In the right pane of User Rights Assignment, double click on Take ownership of files or other objects. (see screenshot above)

3. Prevent Listed Users or Groups to be able to Take Ownership

A) Select (highlight) listed user(s) and/or group(s) that you do not want to be allowed to shut down the computer anymore, then click on the Remove button. (see screenshot below)
NOTE: You can press and hold the CTRL key to select more than one listed user and group.

   Tip

To Only Prevent Specific Administrators

• You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.

B) Click on Apply. (see screenshot below)

4. Allow Users or Groups to be able to Take Ownership

A) Click on the Add User or Group button. (see screenshot above)

B) To Change the Location to Search for "Object Types"

NOTE: This is only if you wanted to search for object types to allow from a location other than your local computer. If you only want to search from your computer, then skip this step and go to step 4C.

• Click on the Locations button. (see screenshot below step 4C)
• Select a location, and click on OK. (see screenshot below)

C) Click on the Advanced button. (see screenshot below)

D) Click on the Object Types button. (see screenshot below)

E) Check all boxes or the "object types" (ex: Users or Groups) that you want to find and select from in step 4G, and click on OK. (see screenshot below)

F) Click on the Find Now button. (see screenshot below)

G) In the bottom pane under Search results, select the user account name(s) and/or groups that you want to be allowed to shut down the computer, then click on OK. (see screenshot below)
NOTE: You can press and hold the CTRL key to select more than one listed users (user account names) or group.

   Tip

To Only Allow Specific Administrators

• You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.

H) Click on OK. (see screenshot below)

I) Click on Apply. (see screenshot below)

5. When finished, click on OK. (see screenshots below steps 3B and 4I)

6. Close the Local Security Policy window. (see screenshot below step 1)

1. If you have not already, click on the Download button below to download the ntrights.exe file originally from within the Windows Server 2003 Resource Kit Tools.

A) Save the ntrights.exe file to your desktop.

B) Right click on the ntrights.exe file, click on Properties, General tab, and click on the Unblock button if available. (see screenshot below)
NOTE: If you do not have a Unblock button under the General tab, then the file is already unblocked and you can continue on to step 1C.

C) Right click on the ntrights.exe file and click on Move.

D) Open Windows Explorer and navigate to and open the C:\Windows\System32 folder, then Paste the ntrights.exe file to move it here.

E) If prompted, click on Continue and Yes to approve moving the ntrights.exe file into the System32 folder, then close the Windows Explorer window.

2. Open a elevated command prompt (Run as administrator).

3. Prevent Users or Groups to be able to Take Ownership

A) In the elevated command prompt type in the command below and press enter. (see screenshot below)
NOTE: Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to prevent.

ntrights -U "User or Group" -R SeTakeOwnershipPrivilege

   Tip

To Only Prevent Specific Administrators

• You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.

4. Allow Users or Groups to be able to Take Ownership

A) In the elevated command prompt type in the command below and press enter. (see screenshot below)
NOTE: Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to allow.

ntrights -U "User or Group" +R SeTakeOwnershipPrivilege

   Tip

To Only Allow Specific Administrators

• You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.

5. When finished, close the elevated command prompt.