How to Allow or Prevent Users and Groups to be able to Take Ownership
Information
This will show you how to allow or prevent specific
users and groups from being able to
Take Ownership of items such as a file, folder, registry key, drive, or other objects in
Vista,
Windows 7, and
Windows 8.
You will need to be logged in as
administrator to be able to do this tutorial.
Note
Default Users and Groups Allowed to Take Ownership
NOTE: This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
On All Computers: Administrators
OPTION ONE
Through Local Security Policy
1. Open the
Local Security Policy window, expand
Local Policies in the left pane, and select
User Rights Assignment. (see screenshot below)
2. In the right pane of
User Rights Assignment, double click on
Take ownership of files or other objects. (see screenshot above)
3. Prevent Listed Users or Groups to be able to Take Ownership
A) Select (highlight) listed user(s) and/or group(s) that you do not want to be allowed to shut down the computer anymore, then click on the Remove button. (see screenshot below)
NOTE: You can press and hold the CTRL key to select more than one listed user and group.
Tip
To Only Prevent Specific Administrators
- You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.
B) Click on
Apply. (see screenshot below)
4. Allow Users or Groups to be able to Take Ownership
A) Click on the
Add User or Group button. (see screenshot above)
B)
To Change the Location to Search for "Object Types"
NOTE: This is only if you wanted to search for object types to allow from a location other than your local computer. If you only want to search from your computer, then skip this step and go to step 4C.
- Click on the Locations button. (see screenshot below step 4C)
- Select a location, and click on OK. (see screenshot below)
C) Click on the
Advanced button. (see screenshot below)
D) Click on the
Object Types button. (see screenshot below)
E) Check all boxes or the "object types" (ex: Users or Groups) that you want to find and select from in step 4G, and click on
OK. (see screenshot below)
F) Click on the
Find Now button. (see screenshot below)
G) In the bottom pane under
Search results, select the
user account name(s) and/or groups that you want to be allowed to shut down the computer, then click on
OK. (see screenshot below)
NOTE: You can press and hold the CTRL key to select more than one listed users (user account names) or group.
Tip
To Only Allow Specific Administrators
- You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.
H) Click on
OK. (see screenshot below)
I) Click on
Apply. (see screenshot below)
5. When finished, click on
OK. (see screenshots below steps 3B and 4I)
6. Close the Local Security Policy window. (see screenshot below step 1)
OPTION TWO
Using an Elevated Command Prompt
NOTE: Be sure to write down changes you make to the user rights assignment so that you will know what you changed later. Please see the NOTE box at the top of the tutorial for the default user rights assignments.
1. If you have not already, click on the
Download button below to download the
ntrights.bat file originally from within the
Windows Server 2003 Resource Kit Tools.
Download
A) Save the
ntrights.zip file to your desktop.
B)
Unblock the
ntrights.zip file.
C) Open the .zip file, and extract (drag and drop) the
ntrights.exe fileto your desktop.
D) Right click on the
ntrights.exe file and click on
Move.
E) Open Windows Explorer and navigate to and open the
C:\Windows\System32 folder, then
Paste the
ntrights.exe file to move it here.
F) If prompted, click on
Continue and
Yes to approve moving the
ntrights.exe file into the
System32 folder, then close the Windows Explorer window.
2. Open an
elevated command prompt (Run as administrator).
3. Prevent Users or Groups to be able to Take Ownership
A) In the elevated command prompt type in the command below and press enter. (see screenshot below)
NOTE: Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to prevent.
ntrights -U "User or Group" -R SeTakeOwnershipPrivilege
Tip
To Only Prevent Specific Administrators
- You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.
4. Allow Users or Groups to be able to Take Ownership
A) In the elevated command prompt type in the command below and press enter. (see screenshot below)
NOTE: Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to allow.
ntrights -U "User or Group" +R SeTakeOwnershipPrivilege
Tip
To Only Allow Specific Administrators
- You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.
5. When finished, close the elevated command prompt.
That's it,
Shawn