During the migrations of user profiles at a customer’s, we came across an interesting fact:
The user running the copy process became the owner of the folder in the target by default.
However our tool was supposed to set the ownership on the AD user who owned the folder before the migration.
NTFS user migration – Service user can’t set folder ownership
We tested everything with a AD domain admin account and there was no problem. But with our service user it was.
But it was of course no option to include the service user into the domain admin group for the migration.
We checked the permissions our user had at the target and found it out to be full control. Nevertheless we received an error message when trying to set an owner to a file. The reason, as it turned out, was very easy.
Change ownership on NTFS folders by users
The setting of ownerships for files and folders does not have anything to do with NTFS permissions on the file system. It is rather a privilege on the user’s token which authenticates itself against the target system.
The authorization is “WRITE_OWNER” and is contained in the privilege “SE_RESTORE_NAME”.
By default two security groups have this privilege:
- Local administrators (thus also domain admins)
- Backup operators
In case a user should be able to change the ownerships of directories, but must not be a local (or domain) administrator, the group “backup-operators” is the easiest solution.
It is also possible to assign the privilege directly via group policy.
The setting is to be found in gpedit.msc under:
Local Computer Policy -> Computer Configuration -> Windows Settings -> Securitry Settings -> Local Policies -> User Rights Assignment -> Restore files and directories