Appendix J: Default Owners of Active Directory Objects

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This appendix contains information about differences between the administrative groups that become default object owners in Windows 2000 and Windows Server 2003.

Default Owners in Windows 2000 Server

In Windows 2000 Server Active Directory, the following rules of ownership apply for new object creation in all directory partition types, including configuration, schema, and domain:

  • If the requestor is a member of the Builtin Administrators group, the default object owner is the Administrators group.

  • If the requester is a member of the Domain Admins group of the domain of the contacted domain controller, the default object owner is the Domain Admins.

  • If the requestor is not a member of the Builtin Administrators group or the Domain Admins group of the domain of the contacted domain controller, the default object owner is the requestor.

Default Owners in Windows Server 2003

In Windows Server 2003 Active Directory, the following major differences affect how ownership of new objects is computed:

  • Rules of ownership are specific to the target directory partition type.

  • The Enterprise Admins group is considered for forest-wide objects, not just the Domain Admins group. If the requestor is a member of the Enterprise Admins group, the default object owner is the group, not the individual requestor.

  • The Builtin Administrators group no longer has default group ownership of directory objects.

The following tables show how ownership rules are applied, from highest to lowest precedence, relative to the different directory partition types and requestor membership in administrative groups.

Directory Partition Type: Configuration

Requestor Group Default Owner

Enterprise Admins

Enterprise Admins

Domain Admins

Domain Admins group of the domain of the contacted domain controller

Builtin Administrators

Token-user

Other

Default-owner-in-token

Directory Partition Type: Schema

Requestor Group Default Owner

Schema Admins

Schema Admins

Enterprise Admins

Enterprise Admins

Domain Admins

Domain Admins group of the domain of the contacted domain controller

Builtin Administrators

Token-user

Other

Default-owner-in-token

Directory Partition Type: Domain

Requestor Group Default Owner

Domain Admins

Domain Admins group of the domain of the contacted domain controller

Enterprise Admins

Enterprise Admins

Builtin Administrators

Token-user

Other

Default-owner-in-token

Directory Partition Type: Application

Requestor Group Default Owner

Domain Admins

Domain Admins of the security descriptor reference domain of the application directory partition

Enterprise Admins

Enterprise Admins

Builtin Administrators

Token-user

Other

Default-owner-in-token