I am logged in as administrator and I right click on a folder and then go to properties, then the security tab, then advanced, then the owner tab. I am not on a domain.
I see that the folder has a group ownership of administrators.
I change this ownership of this item and all subitems to the user administrator. I verified and all subitems do indeed now have the ownerhip of administrator.
But then I try to create a new txt file inside that folder, and when I go to see what the ownership is on it, it is administrators. I expected the new ownership to inherit the ownership from it's parent item or take it from me the logged on user administrator.
What can be done to solve this problem so that new files I create when logged on with administrator will create them with an owner of administrator instead of administrators?
Update: This GP setting is no longer available starting with Vista/Server 2008. https://support.microsoft.com/en-us/kb/947721
Have a look in Group Policy for the setting "System objects: Default owner for objects created by members of the Administrators group". It's located under:
When this setting is enabled members of the "Administrators" group will have objects they create set with the owner "Administrators".
To be honest, I'm not immediately sure on Microsoft's rationale for this behaviour, except to say that it would allow for a common ability to reset permissions on objects w/o taking ownership by all "Administrators". I'd guess that was the intent. I'd be interested to see if anybody has a link to an explicit statement of purpose on this setting from Microsoft.
I noticed that this setting's default differs between Windows XP and Windows Server 2003 (here's an article from Microsoft on it http://support.microsoft.com/kb/318825), but I still don't see a statement of purpose behind why you would want things set one way versus the other.
The difference between XP and Vista/7 default ownership settings relates to the introduction of UAE (better security). Under UAE an administrator is effectively demoted to a limited user account, thereby, restricting any administrator account's ability to change OS settings for files not owned by it. When UAE detects a change requiring administrative privileges, it prompts the user to escalate the account's security token to the increased privileges offered by the account's role as an administrator. You can either decline or accept the UAE request. Unfortunately, even when running with UAE, a demoted administrative account can still affect OS settings by changing files it owns. Ownership of a resource grants full access to this resource even when other permission settings do not. To circumvent this security hole, Vista/7 files created by any specific administrator are now owned by the Administrators group. Therefore individual administrators can no longer change any files without first being promoted to the administrators group.
Before UAE in Vista/7 you could effectively simulate this scheme by using a program called "Drop My Rights". It was developed by a MS engineer and freely distributed by MS. However, before installing the program, you needed to change the registry settings to establish the default Administrator owner to be the Administrators group, so future program installs would set the Administrators group as the owner, as well as alter the file ownership of files in the Windows and Program File directories using the subinacl.exe utility to change the ownership of existing files to the Administrators group.
I would not change the default owner setting unless you wish to introduce a security vulnerability.