I have a Windows 2008 R2 machine. My machine itself is not a domain controller but is joined to a domain.
In Local Security Policy, under Security Settings > Local Policies > User Rights Assignment, grant user DOMAIN\jane.doe to have "Take ownership of files or other objects" privilege.
I rebooted the machine and login as DOMAIN\jane.doe. Open up the command prompt and do takeown /f c:\test\testfile.txt. It gives me "Access denied" error
The file was created by DOMAIN\administrator. Hence the owner was set to Administrators group.
Verified that there is no other GPO applied to the machine.
For testing purpose, I take out all DACL from the file and then just granted DOMAIN\jane.doe to have "Take ownership" permission via DACL. Then, login as DOMAIN\jane.doe and run the takeown /f c:\test\testfile.txt again. I could successfully take the ownership if the "Take ownership" permission is granted to DOMAIN\jane.doe via DACL.
My question is why does the user DOMAIN\jane.doe fail to obtain the file ownership even I granted her the privilege? Is it because takeown.exe doesn't honor the Windows privilege but only DACL? I did similar testing using the security property page from Windows Explorer. DOMAIN\jane.doe cannot take ownership even though she is granted to have "Take ownership" permission via DACL and she is granted to have "Take ownership of files or other objects" privilege.
Best Answer
I just worked out the answer. It's because I had UAC turned on. If I turn off the UAC, both takeown.exe and explorer.exe security properties work as expected. DOMAIN\jane.doe can take the ownership as expected.