1

I have an application that needs to be able to change the owner of certain files. The application runs under a domain service account (with local admin rights to the application server, but not the rest of the domain). I have the ability to call vbs and java script from the application (and can therefore shell for ICACLS use) but it appears the service account needs to be either 1)an admin or 2)backup operator on the files share server. Customer is not going to go for that. Is there some other way to grant permissions to this service account to be able to change the file owner in specific folders only?

To clarify : A scanning application is running under a domain service account on an application server This scanning application accepts files from users at scanners, copiers, web portals etc and delivers those files to specified network locations. The scanning application identifies the user at scan time and needs to be able to change the ownership of the scanned files from the service account to the identified user. Application is not capturing the user's password at scan time so impersonation is not an option when delivering the file to the network location.

JohnH
  • 11
  • 1

1 Answers1

0

When a user creates a file or folder, Windows usually assigns "Full Control" permissions to the creator/owner. Full Control allows the user to assign permissions to other users for the files he or she creates.

If the ownership of a file or folder needs to be changeed, you can replace the existing owner with your own account or with one of the groups you are a member of.

You must have Full Control or the permission (NTFS ACL) Take Ownership to be able to change the ownership of a file or folder.

Users who have the "Restore files and directories" privilege (like Backup Operators) can assign ownership to any user or group at any time.

bjoster
  • 4,423
  • 5
  • 22
  • 32
  • Thank you very much. Is it possible to assign the Restore Files privilege to a user only for specific folders? (so they can only change ownership of files within designated folder structures?) perhaps by specifically denying that account permissions to any other folder object? – JohnH Dec 04 '20 at 21:36