Object Management, Ownership, and Inheritance

Windows Server 2003 takes an object-based approach to describing resources and managing permissions. Objects that describe resources are defined on NTFS volumes and in Active Directory. With NTFS volumes , you can set permissions for files and folders. With Active Directory, you can set permissions for other types of objects, such as users, computers, and groups. You can use these permissions to control access with precision.

Objects and Object Managers

Whether defined on an NTFS volume or in Active Directory, each type of object has an object manager and primary management tools. The object manager controls object settings and permissions. The primary management tools are the tools of choice for working with the object. Objects, their managers, and management tools are summarized in Table 14-2.

Table 14-2. Windows Server 2003 Objects

Object Ownership and Transfer

It's important to understand the concept of object ownership. In Windows Server 2003, the object owner isn't necessarily the object's creator. Instead, the object owner is the person who has direct control over the object. Object owners can grant access permissions and give other users permission to take ownership of the object.

As an administrator, you can take ownership of objects on the network. This ensures that authorized administrators can't be locked out of files, folders, printers, and other resources. Once you take ownership of files, however, you can't return ownership to the original owner (in most cases). This prevents administrators from accessing files and then trying to hide the fact.

The way ownership is assigned initially depends on the location of the resource being created. In most cases, however, the Administrators group is listed as the current owner and the object's actual creator is listed as a person who can take ownership.

Ownership can be transferred in several ways:

• If Administrators is initially assigned as the owner, the creator of the object can take ownership, provided he or she does this before someone else takes ownership.

• The current owner can grant the Take Ownership permission to other users, allowing those users to take ownership of the object.

• An administrator can take ownership of an object, provided the object is under his or her administrative control.

To take ownership of an object, follow these steps:

1. Start the management tool for the object. For example, if you want to work with files and folders, start Windows Explorer.

2. Right-click the object you want to take ownership of.

3. From the shortcut menu, select Properties, and then in the Properties dialog box select the Security tab.

4. Display the Access Security Settings dialog box by clicking the Advanced button. Then select the Owner tab, shown in Figure 14-9.

   Figure 14-9. Use the Owner tab to change ownership of a file.

   

5. Click the new owner in the Change Owner To list box, and then click OK.

   Tip

   If you're taking ownership of a folder, you can take ownership of all subfolders and files within the folder by selecting the Replace Owner On Subcontainers And Objects check box. This option also works with objects that contain other objects. Here, you'd take ownership of all child objects.

   
   

Object Inheritance

Objects are defined using a parent-child structure. A parent object is a top-level object. A child object is an object defined below a parent object in the hierarchy. For example, the folder C:\ is the parent of the folders C:\data and C:\backups. Any subfolders created in C:\data or C:\ backups are children of these folders and grandchildren of C:\.

Child objects can inherit permissions from parent objects. In fact, all Windows Server 2003 objects are created with inheritance enabled by default. This means that child objects automatically inherit the permissions of the parent. Because of this, the parent object permissions control access to the child object. If you want to change permissions on a child object, you must

• Edit the permissions of the parent object.

• Stop inheriting permissions from the parent object, and then assign permissions to the child object.

• Select the opposite permission to override the inherited permission. For example, if the parent allows the permission, you'd deny it on the child object.

To start or stop inheriting permissions from a parent object, follow these steps:

1. Start the management tool for the object. For example, if you want to work with files and folders, start Windows Explorer.

2. Right-click the object you want to work with.

3. From the shortcut menu, select Properties, and then in the Properties dialog box select the Security tab.

4. Display the Access Security Settings dialog box by clicking Advanced.

5. In the Permissions tab, select or clear Allow Inheritable Permissions From The Parent To Propagate To This Object as appropriate. Click OK.