Each file or folder on an NTFS volume has an owner, who is the person who controls permissions on the object and can assign permissions to others. The person who creates a new file is its initial owner.
To find out who owns a file or folder:
It is sometimes necessary to take ownership of a file or a folder. For example, if a user who owns a file will no longer be responsible for its maintenance, a system administrator can take ownership of the file and then allow another user to take ownership, or another user can take ownership of the file directly.
Figure 28-4. The Owner tab shows the current owner and those who can take ownership.
To take ownership of a file or folder, you must have Take Ownership permission for the file or folder. (Take Ownership is one of the permissions included in Full Control permission.) To obtain Take Ownership permission, the current owner, another user with Full Control permission, or a member of the Administrators group must give your account Full Control permission.
To take ownership of a file or folder:
Remember that a file can have only one owner. If you take ownership of a file, you take the ownership away from another user. However, it is also possible for a group to own a file. In that case, all members of the group have creator/owner access to the file.
Remember that the user who creates a file or folder is the owner of that file or folder (until ownership is taken by someone else). Although every member of the Administrators group has the power to take ownership of the file or folder, the owner always has the final say on who has access to the file.
A User's View of SecurityWe've discussed the different features that are available to system administrators and file owners for setting file permissions. But how are everyday system users affected by security?
When a user attempts to perform an operation on a secured file, Windows checks the file's access control list. If the ACL allows access, the user's request is granted. However, if the user doesn't have access privileges to the file, the request is denied. The exact error message the user gets depends on which application is running, and what the user is trying to do. For example, an attempt to delete a protected file in Windows Explorer results in a dialog box message similar to the one shown below.
Don't be misled by the "source file may be in use," "disk is full," and other red-herring messages. The key here is "Access is denied."