INFO: Administrator Access to Files

ID: Q102099

The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API), used with:
    • Microsoft Windows NT versions 3.5, 3.51, 4.0
    • Microsoft Windows 2000

SUMMARY

A user that is a member of the Administrator group is not automatically granted access to any file on the local machine. For an administrator to access a file, permission must be specifically granted (as for any user) in the file's discretionary access control list (DACL).

If an administrator wants to access a file that he or she is not granted access to, the administrator must first take ownership of that file. Once ownership is taken, the administrator will have full access to the file. It is important to note that administrator cannot give ownership back to the original owner. If this were so, the administrator could take ownership of a file, examine it, and then assign it back to the original owner without that owner's knowledge.

NOTE: Because administrators have backup privileges, an administrator could back up a file (or entire volume) and restore it onto another system. The administrator could then take ownership of a file on this new system, examine it, and then restore from backup with original permissions, without the owner's knowledge. Please keep this in mind when thinking about file security.

Additional query words: 3.50 file security administrator

Keywords : kbAccCtrl kbAPI kbFileIO kbKernBase kbWinOS2000 kbSecurity kbDSupport kbGrpKernBase
Version : winnt:3.5,3.51,4.0
Platform : winnt
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.