How to reverse NTFS object ownership from administrators to object's creator -- and why

Requires Free Membership to View

More Windows systems management resources

Have your files and folders list your account as the object's owner.

Visit our Windows systems management and administration tools topical resource center.

Have you ever created an NTFS object, such as a file or folder, and then viewed that object's properties only to find the ownership is set to an Administrators group account and not your own individual account? This happens by default in circumstances when an administrator's personal user account has been added to the Administrators group account.

Microsoft created this default action on the assumption that administrative accounts are used only to administer the system and not for any individual purpose. However, you can reverse this behavior so your account is set as the default owner.

Why would you want to do that? Let's say, for some reason, you've added your personal account to either the local Administrators group or Active Directory Domain Administrators group. Further on down the road, you need to track the ownership of NTFS objects, like files or folders, in order to check disk quotas or verify security settings. If you leave the default object security options, the objects you have created will not be tied to your personal account. They will fall under the ownership of the administrators.

These six steps will change that behavior on a single system:

  1. Click Start, and then click Control Panel.

  2. In Control Panel, click Performance and Maintenance.

  3. Click Administrative Tools, and then double-click Local Security Policy.

  4. In the left pane of the Local Security Settings console, expand Local Policies, and then click Security Options.

  5. In the right pane of the Local Security Settings console, double-click System objects: Default owner for objects created by members of the Administrators group.

  6. Change the default from Administrators group to Object creator.

Note: If you are in an Active Directory domain, just go to the Group Policy Object you wish to modify and navigate to the same "Security Options --> System Objects" section.

About the Author: Tim Fenner (MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment. He is also an independent consultant who specializes in the design, implementation and management of Windows networks.

This was first published in September 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.