Access rights - the owner can do anything

    Do the dog and cat user have the same access rights to the file (they are members of the users group and do not belong to any other groups)?

    image

    If you think that they are the same, then you should read this article to the end. Their rights are different!

    image

    The reason is that according to the discretionary access control (DAC) concept implemented in Windows, the owner has the right to read and change permissions. And even the explicit prohibition for the account does not take precedence over the rights of the owner.

    This behavior may go against the resource access policy and lead to unwanted or erroneous changes in access rights.

    In Windows Vista and Windows Server 2008, an Owner Rights account was introduced.

    image

    The ban on reading and changing permissions of this account takes precedence over the rights of the owner.

    image

    However, the use of this feature should be treated with caution, since a situation is possible in which by appointing yourself the owner of the resource you will lose the ability to change its rights. Such changes are reversible, the administrator account under no circumstances can lose the ability to control permissions.

    Also popular now: