Share via

Active Directory - Why change the owner of an object?

Daya 61 Reputation points
2022-04-19T12:25:25.063+00:00

When we click on the 'Advanced' button (Properties -> Security -> Advanced), there's an option that allows us to change who the object's owner is. I have two questions regarding this:

1. Who is an object's 'owner'? My search results say that an object's owner has FULL CONTROL of the object. I tried testing it - I have a user object called User1. I checked if the Domain Admins group (default owner) had full control of it- and it did. Then I changed the owner to User2. I refreshed everything and then checked if User2 had full control of User1 (also tried 'Effective Access') but it did not. The Domain Admins group still had Full Control of the object. So what exactly is the owner and why do the permissions not change to give the new owner full control?

2. Why would we want to change the owner? If the Domain Admins group has default ownership of user objects, why would we want to change the Owner? Could you please give me a few example instances where changing an object's owner would be necessary?

Thank you.

@Gary Reynolds I'm taking the liberty of tagging you here because you answered my other question so beautifully. Please help? Thank you :)

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments
Accepted answer
  1. Gary Reynolds 9,621 Reputation points
    2022-04-19T13:00:16.463+00:00

    Hi @Daya

    The ownership of object provides the nominated group\user with the rights to modify the permissions, even if the group\user hasn't been provide permissions on the object. Normally the create of the object will become the owner of the AD object, if the user is a member of the administrators group, then the ownership will be assigned to the domain admins.

    As the owner has the ability to modify permissions of an object, taking ownership of an object can be used to recover from a permissions issue. In this screenshot below the user has no permissions to the object, you can try and take ownership of the object to be able to see the assigned permissions.

    194309-image.png

    After the ownership has been assigned to the domain admins you can see what permissions have been assigned, in this case there are no permissions assigned.

    194257-image.png

    Have a look at the object ownership section in the following article.

    https://www.microsoftpressstore.com/articles/article.aspx?p=2231764&seqNum=3

    Gary.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.