Appendix J: Default Owners of Active Directory Objects

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This appendix contains information about differences between the administrative groups that become default object owners in Windows 2000 and Windows Server 2003.

In Windows 2000 Server Active Directory, the following rules of ownership apply for new object creation in all directory partition types, including configuration, schema, and domain:

• If the requestor is a member of the Builtin Administrators group, the default object owner is the Administrators group.

• If the requester is a member of the Domain Admins group of the domain of the contacted domain controller, the default object owner is the Domain Admins.

• If the requestor is not a member of the Builtin Administrators group or the Domain Admins group of the domain of the contacted domain controller, the default object owner is the requestor.

In Windows Server 2003 Active Directory, the following major differences affect how ownership of new objects is computed:

• Rules of ownership are specific to the target directory partition type.

• The Enterprise Admins group is considered for forest-wide objects, not just the Domain Admins group. If the requestor is a member of the Enterprise Admins group, the default object owner is the group, not the individual requestor.

• The Builtin Administrators group no longer has default group ownership of directory objects.

The following tables show how ownership rules are applied, from highest to lowest precedence, relative to the different directory partition types and requestor membership in administrative groups.