There seems to be a lot of confusion on the Internet about what taking ownership of a securable object in Windows actually means. Many people expect it to grant full control of the object, but that is not the case.
The only special power conferred by being an object's owner is control over the object's DACL. The owner (or a member of the group that is the owner) can always read and write the access control list, even in the presence of Deny entries for those permissions. The write-DAC power can then be used, if desired, to grant Full Control to oneself or another, but just being the owner does no such thing.
Therefore, the "Take ownership" privilege on an object is effectively Full Control; it just requires one more hoop to be jumped through. Administrators (or an account assigned SeTakeOwnershipPrivilege) can always take ownership of anything.
No comments:
Post a Comment