How to Allow or Prevent Users and Groups to be able to Take Ownership
Information
This will show you how to allow or prevent specific users and groups from being able to Take Ownership of items such as a file, folder, registry key, drive, or other objects in Vista, Windows 7, and Windows 8.
You will need to be logged in as administrator to be able to do this tutorial.
You will need to be logged in as administrator to be able to do this tutorial.
Note
Default Users and Groups Allowed to Take Ownership
NOTE: This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
On All Computers: Administrators
NOTE: This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
On All Computers: Administrators
OPTION ONE
Through Local Security Policy
1. Open the Local Security Policy window, expand Local Policies in the left pane, and select User Rights Assignment. (see screenshot below)
2. In the right pane of User Rights Assignment, double click on Take ownership of files or other objects. (see screenshot above)
3. Prevent Listed Users or Groups to be able to Take Ownership
A) Select (highlight) listed user(s) and/or group(s) that you do not want to be allowed to shut down the computer anymore, then click on the Remove button. (see screenshot below)
NOTE: You can press and hold the CTRL key to select more than one listed user and group.
Tip
To Only Prevent Specific Administrators
- You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.
4. Allow Users or Groups to be able to Take Ownership
A) Click on the Add User or Group button. (see screenshot above)
B) To Change the Location to Search for "Object Types"
NOTE: This is only if you wanted to search for object types to allow from a location other than your local computer. If you only want to search from your computer, then skip this step and go to step 4C.
- Click on the Locations button. (see screenshot below step 4C)
- Select a location, and click on OK. (see screenshot below)
C) Click on the Advanced button. (see screenshot below)
D) Click on the Object Types button. (see screenshot below)
E) Check all boxes or the "object types" (ex: Users or Groups) that you want to find and select from in step 4G, and click on OK. (see screenshot below)
F) Click on the Find Now button. (see screenshot below)
G) In the bottom pane under Search results, select the user account name(s) and/or groups that you want to be allowed to shut down the computer, then click on OK. (see screenshot below)
NOTE: You can press and hold the CTRL key to select more than one listed users (user account names) or group.
Tip
To Only Allow Specific Administrators
- You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.
I) Click on Apply. (see screenshot below)
5. When finished, click on OK. (see screenshots below steps 3B and 4I)
6. Close the Local Security Policy window. (see screenshot below step 1)
OPTION TWO
Using an Elevated Command Prompt
NOTE: Be sure to write down changes you make to the user rights assignment so that you will know what you changed later. Please see the NOTE box at the top of the tutorial for the default user rights assignments.
1. If you have not already, click on the Download button below to download the ntrights.bat file originally from within the Windows Server 2003 Resource Kit Tools.
Download
A) Save the ntrights.zip file to your desktop.
B) Unblock the ntrights.zip file.
C) Open the .zip file, and extract (drag and drop) the ntrights.exe fileto your desktop.
D) Right click on the ntrights.exe file and click on Move.
E) Open Windows Explorer and navigate to and open the C:\Windows\System32 folder, then Paste the ntrights.exe file to move it here.
F) If prompted, click on Continue and Yes to approve moving the ntrights.exe file into the System32 folder, then close the Windows Explorer window.
2. Open an elevated command prompt (Run as administrator).
3. Prevent Users or Groups to be able to Take Ownership
A) In the elevated command prompt type in the command below and press enter. (see screenshot below)
NOTE: Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to prevent.
ntrights -U "User or Group" -R SeTakeOwnershipPrivilege
Tip
To Only Prevent Specific Administrators
- You will also need to remove the Administrators group in addition to step 3A first, then only add each administrator user account name in step 4A that you want to be able to take ownership.
A) In the elevated command prompt type in the command below and press enter. (see screenshot below)
NOTE: Substitute User or Group in the command below with the actual user account name (ex: Users) or group name within quotes that you want to allow.
ntrights -U "User or Group" +R SeTakeOwnershipPrivilege
Tip
To Only Allow Specific Administrators
- You will need to remove the Administrators group in step 3A first, then add each administrator user account name that you want to be able to take ownership.
That's it,
Shawn
Related Tutorials
- How to Add or Remove User Accounts from Groups in Windows 7 and Vista
- How to Allow or Deny Permissions to Users and Groups
- How to Create a Take Ownership Shortcut in Windows 7
- How to Take Ownership of a Item in Vista and Windows 7
- How to "Take Ownership" of a File, Folder, Drive, or Registry Key in Windows 8
- How to Add "Take Ownership" to the Context Menu in Windows 8
Last edited:
