I am planning to give "change permissions" (WDAC) permission to user. However, I came across this (WO) permission which represents "take ownership". What is the difference between the two? Can user with (WDAC) permission still change permissions without having a (WO) permission set?
Asked
Active
Viewed 202 times
2
kiwidude89
- 55
- 2
2 Answers
1
These are two very different permissions.
The WO verb does "Write owner", whereby you take ownership of the object. The owner of course has full permissions including the write-DAC permission.
To change the access lists for the folder requires the user to have the write-DAC permission (WRITE_DAC — WDAC). At least one user (the owner of the object) has the permission to modify the DACL.
So, yes, a user with the write-DAC permission can change most permissions without being the owner.
harrymc
- 455,459
- 31
- 526
- 924
1
What is the difference between the two?
WO refers to the file's "owner" parameter, which is a completely separate field from DACL entries (though still part of the ACL structure overall). It does not refer to being able to edit the 'CREATOR OWNER' ACL entry.
The file's owner implicitly has WDAC rights (but not full permissions – everything else has to be granted through a standard ACE). Additionally, when disk quotas are enabled, space consumed by the file is accounted to its owner's quota, which is another reason setting the file's owner is a separate permission.
Note that having WO permissions doesn't imply WDAC – to get WDAC you would still need to set yourself as the owner first.
Can user with (WDAC) permission still change permissions without having a (WO) permission set?
Yes, they can change all DACL entries.
Additional note: If something works even though it seems like it shouldn't (especially if certain PowerShell cmdlets let you do things contrary to the file's DACL), usually that's because it was done through system-wide privileges.
For example, "Take Ownership" isn't necessarily done through having WO permissions – it can also be done using the system-wide SeTakeOwnership privilege which all administrators have.
Administrators also have the system-wide SeBackupPrivilege and SeRestorePrivilege; when those privileges are activated, that process can bypass the DACL for most operations. For example, when you try to delete something in PowerShell, it raises SeRestorePrivilege to bypass any ACLs that'd prevent you from deleting it.
As another example, neither the WO permission nor SeTakeOwnershipPrivilege let you set arbitrary accounts as the file's owner – they both only allow you to claim the file for yourself. So when you use Explorer's GUI or icacls /setowner to set someone else as the new owner, that's actually done by relying on SeRestorePrivilege to set arbitrary ACLs.
u1686_grawity
- 426,297
- 64
- 894
- 966
-
Thanks for the answers! However, I am now wondering, what is the true purpose of `WO` then? Other than the disk's quota being tied to the owner's quota, what other major features are there when having `WO` permission? Also, my intention is to just allow `user` to change permissions with `WDAC`. So, if I'm reading your answers correctly, it seems that I can set `WDAC` alone without additionally setting `WO` to enable it? – kiwidude89 Aug 11 '22 at 05:07
-
I assume its purpose is to separate admin duties (e.g. taking ownership to claim files belonging to past employees) – e.g. admin A manages this section of the fileserver, admin B manages that other section, etc., so with `WO` being granted they can take ownership of files on their section, but can't touch anything else. – u1686_grawity Aug 11 '22 at 05:12