I have a need to change ownership of a file on a machine to a group or user that does not have local admin right on that machine. THe background is I want to restrict all users from running a file from the command line. It runs as a service. I took all the permissions of the file except for SYSTEM and the service still starts ok. However the problem is a user with local admin can elevate their permissions, I assum becuase they are a member of the local admins group whcih has ownership. I cant take them out of local admins, its mandatory. I thought I could change ownership of the file. 1. Will this blovk them from elevting their permissions to the file 2. How do I script the change of ownership Thanks.

On Wed, 12 Jan 2011 00:42:49 +0000, Gunna wrote: 1. Will this blovk them from elevting their permissions to the file No. There's nothing you can do here if your users remain local admins they can do pretty much whatever they want. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? Real time: Here and now, as opposed to fake time, which only occurs there and then.

Hi, Thank you for your post here. Yes, I think assigning a new ownership on the file will prevent the user with administrative privilege from modifying permissions. You may refer to the following article to script the changing of file/folder ownership. How Can I Take Ownership of a File or Folder By Using a Script? http://blogs.technet.com/b/heyscriptingguy/archive/2006/01/11/how-can-i-take-ownership-of-a-file-or-folder-by-using-a-script.aspx

On Wed, 12 Jan 2011 06:41:17 +0000, Miles Li wrote: Yes, I think assigning a new ownership on the file will prevent the user with administrative privilege from modifying permissions. Sorry but no it won't. A local administrator, even if they are not the owner of the file, can still take ownership and once they do so, can then modify permissions. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Want custom ringtones on your Windows Phone 7 device? The program is absolutely right; therefore, the computer must be wrong.

Would removing the Security Tab from the file\folder be enough? OR even adding a special permission to deny local administrators access to Take ownership? These local admins do not have access to alter the GPO settings.