It’s important to understand the concept of object ownership. In Windows Server 2012 R2, the object owner isn’t necessarily the object’s creator; instead, the object owner is the person who has direct control over the object. Object owners can grant access permissions and give other users permission to take ownership of the object.

As an administrator, you can take ownership of objects on the network to ensure that you can’t be locked out of files, folders, printers, and other resources. After you take ownership of files, however, you can’t return ownership to the original owner (in most cases). This prevents administrators from accessing files and then trying to hide the fact.

The way ownership is assigned initially depends on the location of the resource being created. In most cases, the Administrators group is listed as the current owner, and the object’s actual creator is listed as a person who can take ownership.

Ownership can be transferred in several ways:

■ If the Administrators group is initially assigned as the owner, the creator of the object can take ownership, if she does this before someone else takes ownership.

■ The current owner can grant the Take Ownership permission to other users, allowing those users to take ownership of the object.

■ An administrator can take ownership of an object, if the object is under his administrative control.

To take ownership of an object, follow these steps:

1. Open the management tool for the object. For example, if you want to work with files and folders, start File Explorer.

2. Press and hold or right-click the object you want to take ownership of, and then tap or click Properties. In the Properties dialog box, tap or click the Security tab.

3. On the Security tab, tap or click Advanced to display the Advanced Security Settings dialog box where the current owner is listed under the file or folder name.

4. Tap or click Change. Use the options in the Select User, Computer, Service Account, Or Group dialog box to select the new owner.

5. Tap or click OK twice when you have finished.

TIP If you’re taking ownership of a folder, you can take ownership of all subfolders and files within the folder by selecting the Replace Owner On Subcontainers And Objects check box. This option also works with objects that contain other objects, in which case you would take ownership of all child objects.

Objects are defined by using a parent-child structure. A parent object is a top-level object, and a child object is an object defined below a parent object in the hierarchy. For example, the folder C: \ is the parent of the folders C: \Data and C: \Backups. Any subfolders created in C: \Data or C: \Backups are children of these folders and grandchildren of C: \.

Child objects can inherit permissions from parent objects; in fact, all Windows Server 2012 R2 objects are created with inheritance enabled by default. This means that child objects automatically inherit the permissions of the parent; therefore, the parent object permissions control access to the child object. If you want to change permissions on a child object, you must do one of the following:

■ Edit the permissions of the parent object.

■ Stop inheriting permissions from the parent object, and then assign permissions to the child object.

■ Select the opposite permission to override the inherited permission. For example, if the parent allows the permission, you would deny it on the child object.

To stop inheriting permissions from a parent object, follow these steps:

1. Open the management tool for the object. For example, if you want to work with files and folders, start File Explorer.

2. Press and hold or right-click the object with which you want to work, and then tap or click Properties. In the Properties dialog box, tap or click the Security tab.

3. Tap or click Advanced to display the Advanced Security Settings dialog box.

4. On the Permissions tab, tap or click Change Permissions to display an editable version of the Permissions tab.

5. On the Permissions tab, you’ll see a Disable Inheritance button if inheritance currently is enabled. Tap or click Disable Inheritance.

6. You can now either convert the inherited permissions to explicit permissions or remove all inherited permissions and apply only the permissions that you explicitly set on the folder or file.

Keep in mind that if you remove the inherited permissions and no other permissions are assigned, everyone but the owner of the resource is denied access. This effectively locks out everyone except the owner of a folder or file; however, administrators still have the right to take ownership of the resource regardless of the permissions. Thus, if an administrator is locked out of a file or a folder and truly needs access, she can take ownership and then have unrestricted access.

To start inheriting permissions from a parent object, follow these steps:

1. Open the management tool for the object. For example, if you want to work

with files and folders, start File Explorer.

2. Press and hold or right-click the object with which you want to work, and then tap or click Properties. In the Properties dialog box, tap or click the Security tab.

3. Tap or click Advanced to display the Advanced Security Settings dialog box.

4. On the Permissions tab, tap or click Enable Inheritance, and then tap or click OK. Note that the Enable Inheritance button is available only if permission inheritance currently is disabled.

NTFS permissions are always evaluated when a file is accessed. On NTFS and ReFS volumes, you can set security permissions on files and folders to grant or deny access to the files and folders. Because Windows Server 2012 R2 adds new layers of security, NTFS permissions now encompass the following:

■ Basic permissions

■ Claims-based permissions

■ Special permissions

You can view NTFS permissions for files and folders by following these steps:

1. In File Explorer, press and hold or right-click the file or folder with which you want to work, and then tap or click Properties. In the Properties dialog box, tap or click the Security tab.

2. In the Group Or User Names list, select the user, computer, or group whose permissions you want to view. If the permissions are not available (dimmed), the permissions are inherited from a parent object.

Shared folders have both share permissions and NTFS permissions. You can view the underlying NTFS permissions for shared folders by following these steps: