拥有“损坏”权限的文件的所有权(Taking ownership of files with 'broken' permissions)

 我试图克服以下情况。 
 
 给定存储在NTFS卷上的目录，其中： 
 
 
 
 目录所有者被设置为其他人（例如，非特权用户） 
 
 
 目录DACL被配置为允许访问不包括系统或管理员的特定人员组 
 
 
 目录上的DACL实际上不允许任何人取得所有权或更改DACL 
 
 
 （或者简而言之，所有管理员都被锁定在文件夹之外） 
 
 但！ 
 
 
 
 我正在运行的帐户具有管理权限（SeBackupPrivilege，SeSecurityPrivilege） 
 
 
 无论如何，现在的DACL可以被忽略，因为我正在写一个新的DACL 
 
 
 使用其他工具（takeown.exe），我可以访问有问题的目录。 
 
 
 （或者简而言之，我有权修复DACL /所有者） 
 
 下面的代码我应该没有问题： 
 
WindowsIdentity privilegedUser = System.Security.Principal.WindowsIdentity.GetCurrent();

// I cannot use File.GetAccessControl() as I get access denied
// (working as intended! I have no access to read the ACL!)
// so I have to write a new ACL:
FileSecurity acl = new FileSecurity();
acl.SetOwner(admin.User);
acl.AddAccessRule(new FileSystemAccessRule(privilegedUser.User, FileSystemRights.FullControl, AccessControlType.Allow));

File.SetAccessControl("c:\\path\\to\\broken", acl);
 
 但是， SetAccessControl调用引发UnauthorizedAccessException 。 当我改变它只是调整业主，同样的事情发生。 当我只尝试调整DACL时，同样的事情。 
 
 我已经通过在Process Explorer中检查生成的进程来验证问题不是UAC，并且验证了管理员组已设置为“所有者”而不是“已禁用”。 我应该拥有所有必要的权利来执行此操作（备份操作员应该与管理员无关，但我添加了它来进行测试） - 但它只是拒绝访问权限。 
 
 相关technet文档： http : //technet.microsoft.com/en-us/library/cc783530%28WS.10%29.aspx 
 
 
 
 “如果您拥有一个对象，则可以授予任何用户或安全组对该对象的任何权限，包括获得所有权的权限。” 
 
 
 所有权可以通过以下方式转让： 
  
 
   
 当前所有者可以将“获取所有权”权限授予其他用户，从而允许该用户随时获得所有权。 用户必须实际拥有所有权才能完成转移。 （不幸的是，业主无法在这种情况下重新分配所有权。） 
 
   
 管理员可以获得所有权。 
 
   
 具有“还原文件和目录”用户权限的用户可以将所有权分配给任何用户或组。 
 
  
 
 
 拥有文件和其他对象的能力是管理员维护系统需要优先于拥有者控制访问权的另一种情况。 通常情况下，只有在当前所有者允许您这样做的情况下，您才能获得对象的所有权。 NTFS对象的所有者可以允许其他用户通过授予其他用户获取所有权的权限来获得所有权; Active Directory对象的所有者可以授予其他用户修改所有者权限。 拥有此特权的用户可以在没有当前所有者的许可的情况下取得对象的所有权。 默认情况下，该权限仅分配给内置的管理员组。 它通常由管理员用于在当前所有者不再可用时获取并重新分配资源的所有权。 
 
 
 我在这里错过了什么？ 

I'm trying to overcome the following situation.
 
Given a directory stored on an NTFS volume, where:
 
 
 
The directory owner is set to someone else (a non-privileged user for example)
 
 
The directory DACL is configured to permit access to a specific group of people that does not include the system or Administrators
 
 
The DACL on the directory actually grants no one access to either take ownership or change the DACL
 
 
(or in short, the all administrators have been locked out of the folder)
 
But!
 
 
 
The account I am running under has administrative rights (SeBackupPrivilege, SeSecurityPrivilege)
 
 
The existing DACL can be ignored as I am writing a new one anyway
 
 
Using other tools (takeown.exe), I can get access to the directory in question.
 
 
(or in short, I have access to fix the DACL/owner)
 
I should have no problem with the following code:
 
WindowsIdentity privilegedUser = System.Security.Principal.WindowsIdentity.GetCurrent();

// I cannot use File.GetAccessControl() as I get access denied
// (working as intended! I have no access to read the ACL!)
// so I have to write a new ACL:
FileSecurity acl = new FileSecurity();
acl.SetOwner(admin.User);
acl.AddAccessRule(new FileSystemAccessRule(privilegedUser.User, FileSystemRights.FullControl, AccessControlType.Allow));

File.SetAccessControl("c:\\path\\to\\broken", acl);
 
But, the SetAccessControl call throws UnauthorizedAccessException. When I alter it to only adjust the owner, the same thing happens. When I only try to adjust the DACL, same thing.
 
I've verified that the issue is not UAC by checking the resulting process in Process Explorer, and verified that the Administrators group is set to "Owner" instead of "Disabled." I should have all of the necessary rights to do this (Backup Operators should be extraneous in the face of Administrators, but I added it for testing) -- but it just keeps throwing access denied.
 
Relevant technet documentation: http://technet.microsoft.com/en-us/library/cc783530%28WS.10%29.aspx
 
 
 
"If you own an object, you can grant any user or security group any permission on that object, including the permission to take ownership."
 
 
Ownership can be transferred in the following ways: 
  
 
   
The current owner can grant the Take ownership permission to another user, allowing that user to take ownership at any time. The user must actually take ownership to complete the transfer. (Unfortunately, the owner cannot reassign ownership in this situation.)
 
   
An administrator can take ownership.
 
   
A user who has the Restore files and directories user right can assign ownership to any user or group.
 
  
 
 
The ability to take ownership of files and other objects is another case where an administrator’s need to maintain the system takes priority over an owner’s right to control access. Normally, you can take ownership of an object only if its current owner gives you permission to do so. Owners of NTFS objects can allow another user to take ownership by granting the other user Take Ownership permission; owners of Active Directory objects can grant another user Modify Owner permission. A user who has this privilege can take ownership of an object without the current owner’s permission. By default, the privilege is assigned only to the built-in Administrators group. It is normally used by administrators to take and reassign ownership of resources when their current owner is no longer available.
 
 
What am I missing here?

原文：https://stackoverflow.com/questions/5241718