File owner is a group

DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
Hey guys, wondering if anyone has this answer because it seems google cannot.

We recently had some users get added to a group that they shouldn't have that gave them write access to a shared network folder. They are gone now, but I'm trying to see if they modified anything that they shouldn't have, and logging is not enabled on this location.

So I wrote up a Powershell script to recursively grab these files and run Get-ACL on them to check the owner. If the owner of the file is one of these people, then I know they created it. Unfortunately if they only modified something then they wouldn't take ownership, but based on the use of the location I'd expect that files would be replaced rather than modified.

What I'm finding though is that many files are owned by BUILTIN\Administrators. Not only does this not help me, but now I'm trying to figure out why the owner would sometimes be a group rather than your user. What mechanism decides that? Do all local admins just get defaulted to group while other users get owned by the user or is there something else at play?

I'd love to hear any and all opinions on the subject. Unfortunately Google only leads me to pages on how to change ownership, not on how it is birthed. Thanks guys
Decide what to be and go be it.

Comments

  • UncleBUncleB Member Posts: 417
    I think it was probable when the structure was created, the files came from somewhere else and in order to get permission as owner to set the appropriate security on the files & folders, your server admin would have changed the owner to this group in order for their team to have full rights - by using the group you can give any other team members this access and speed up the work of permissioning folder structures by spreading it around.

    I think the access always defaults to who was logged in and copying the files, or the account used by the backup/restore software.

    thanks
    Iain
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Interesting, I just tested it out. I'm setup as a local admin on my computer and when I created a file on my local machine and run get-acl on it, the owner shows up as BUILTIN\Administrators...

    I show up as normally as the owner when I create files on our shared network drives, but pretty certain I'm not a local admin on those...
  • DevilsbaneDevilsbane Member Posts: 4,212 ■■■■■■■■□□
    UncleB wrote: »
    I think it was probable when the structure was created, the files came from somewhere else and in order to get permission as owner to set the appropriate security on the files & folders, your server admin would have changed the owner to this group in order for their team to have full rights - by using the group you can give any other team members this access and speed up the work of permissioning folder structures by spreading it around.

    I think the access always defaults to who was logged in and copying the files, or the account used by the backup/restore software.

    thanks
    Iain

    That is a very good theory. I'll look into it. Thanks!
    Decide what to be and go be it.
Sign In or Register to comment.