Server 2012 delegate change folder ownership permission

Question

Okay, so here's the scenario.

I want some of our helpdesk users to be able to create and manage subfolders on one of our server shares WITHOUT giving them the rights or necessity to login to the server. Now, whilst the I can manage most of the NTFS permissions (they need to be able to see the root of the share and be able to create folders and assign rights on the subfolders they create) the bit I can't get is the ability to change ownership of a subfolder to another user. I keep getting "This security ID may not be assigned as the owner of this object". I've modified the local security policy for local policies/user rights assignment --> "Take ownership of files or other objects" to the relevant domain group but it doesn't work.

I can get around this by making the domain group a member of the server's local administrators group but this was pretty much what I was trying to avoid since membership of the local Administrators group gives so many other privleges.

Any ideas? (Disabling UAC etc is not what I'm looking for, I want to tighten security not abandon it.)

Pete

Answer 1

Hi,

I think i found the resolution on this issue.

Users who have the "Restore files and directories" privilege can assign ownership to any user or group.
We need to deploy the group policy for the users on computers where the folders located.
The policy is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\"Restore files and directories"

Once the policy apply, the user can assign the ownership to other users.
Best Regards,

Answer 2

Hi,

Welcome to share here!
I did a test in my lab too.
Even assign the user with the full permission , it can't change the owner to other users.
But the user itself can take the ownership of the files.

Best Regards,