I have an application that needs to be able to change the owner of certain files. The application runs under a domain service account (with local admin rights to the application server, but not the rest of the domain). I have the ability to call vbs and java script from the application (and can therefore shell for ICACLS use) but it appears the service account needs to be either 1)an admin or 2)backup operator on the files share server. Customer is not going to go for that. Is there some other way to grant permissions to this service account to be able to change the file owner in specific folders only?
To clarify : A scanning application is running under a domain service account on an application server This scanning application accepts files from users at scanners, copiers, web portals etc and delivers those files to specified network locations. The scanning application identifies the user at scan time and needs to be able to change the ownership of the scanned files from the service account to the identified user. Application is not capturing the user's password at scan time so impersonation is not an option when delivering the file to the network location.