How to Allow or Prevent Users and Groups to be able to Take Ownership
Information
This will show you how to allow or prevent specific users and groups from being able to Take Ownership of items such as a file, folder, registry key, drive, or other objects in Windows 7 and Vista.
You will need to be logged in as administrator to be able to do this tutorial.
Note
Default Users and Groups Allowed to Take Ownership NOTE:This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
On All Computers: Administrators
OPTION ONE
Through Local Security Policy
1. Open the Local Security Policy window, expand Local Policies in the left pane, and select User Rights Assignment. (see screenshot below)
2. In the right pane of User Rights Assignment, double click on Take ownership of files or other objects. (see screenshot above)
3. Prevent Listed Users or Groups to be able to Take Ownership
A) Select (highlight) listed user(s) and/or group(s) that you do not want to be allowed to shut down the computer anymore, then click on the Remove button. (see screenshot below) NOTE:You can press and hold the CTRL key to select more than one listed user and group.
Tip
To Only Prevent Specific Administrators
You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.
B) Click on Apply. (see screenshot below)
4. Allow Users or Groups to be able to Take Ownership
A) Click on the Add User or Group button. (see screenshot above)
B) To Change the Location to Search for "Object Types"
NOTE:This is only if you wanted to search for object types to allow from a location other than your local computer. If you only want to search from your computer, then skip this step and go to step 4C.
Click on the Locations button. (see screenshot below step 4C)
Select a location, and click on OK. (see screenshot below)
C) Click on the Advanced button. (see screenshot below)
D) Click on the Object Types button. (see screenshot below)
E) Check all boxes or the "object types" (ex: Users or Groups) that you want to find and select from in step 4G, and click on OK. (see screenshot below)
F) Click on the Find Now button. (see screenshot below)
G) In the bottom pane under Search results, select the user account name(s) and/or groups that you want to be allowed to shut down the computer, then click on OK. (see screenshot below) NOTE:You can press and hold the CTRL key to select more than one listed users (user account names) or group.
Tip
To Only Allow Specific Administrators
You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.
H) Click on OK. (see screenshot below)
I) Click on Apply. (see screenshot below)
5. When finished, click on OK. (see screenshots below steps 3B and 4I)
6. Close the Local Security Policy window. (see screenshot below step 1)
OPTION TWO
Using a Elevated Command Prompt
NOTE:Be sure to write down changes you make to the user rights assignment so that you will know what you changed later. Please see the NOTE box at the top of the tutorial for the default user rights assignments.
1. If you have not already, click on the Download button below to download the ntrights.exe file originally from within the Windows Server 2003 Resource Kit Tools.
A) Save the ntrights.exe file to your desktop.
B) Right click on the ntrights.exe file, click on Properties, General tab, and click on the Unblock button if available. (see screenshot below) NOTE:If you do not have a Unblock button under the General tab, then the file is already unblocked and you can continue on to step 1C.
C) Right click on the ntrights.exe file and click on Move.
D) Open Windows Explorer and navigate to and open the C:\Windows\System32 folder, then Paste the ntrights.exe file to move it here.
E) If prompted, click on Continue and Yes to approve moving the ntrights.exe file into the System32 folder, then close the Windows Explorer window.
3. Prevent Users or Groups to be able to Take Ownership
A) In the elevated command prompt type in the command below and press enter. (see screenshot below) NOTE:Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to prevent.
ntrights -U "User or Group" -R SeTakeOwnershipPrivilege
Tip
To Only Prevent Specific Administrators
You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.
4. Allow Users or Groups to be able to Take Ownership
A) In the elevated command prompt type in the command below and press enter. (see screenshot below) NOTE:Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to allow.
ntrights -U "User or Group" +R SeTakeOwnershipPrivilege
Tip
To Only Allow Specific Administrators
You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.
5. When finished, close the elevated command prompt.
And there is a way to prevent other admins to take ownership? I mean the posibility of having a folder totally private that the permissions could not be modified after the taken ownership of that folder by another admin. Is that possible? I don't think so... by maybe there's a way, that is what I were looking into this tutorial.
I had read this post before. Is good, but here the trick is basic. It just allow a folder to be "seen" by the system as a protected operating system file, so if we uncheck the option refered to this in Folder Options and also the option that allow us to see the hidden files, the folder will appear on the screen.
Information
Note
OPTION ONE 
Tip
Quote: Originally Posted by Brink 
I am trying to make users and groups with rights and permissions 
