When files and folders are created on the Windows file system, an owner is assigned to that object. By default, the owner is the creator of the file. But, ownership can be re-assigned by the current owner or system administrators. When assigning an owner, it’s critical to understand what the attribute means.
A file or folder owner always has the rights to adjust permissions. So, even if everyone is denied rights and the owner account can no longer view the document, it can still be used to adjust permissions to grant itself (or anyone else) any additional permissions.
In most cases, an explicit deny rule takes precedence over other rights assignments. In the case of owner, however, this is not true. So, ownership needs to be considered when looking at what file permissions are assigned.
The implicit rights granted by the owner attribute take precedence over all other permissions, including denies.
To ensure proper access to files on the Windows file system, NetVision’s ARI accounts for the owner of a file system object when calculating effective rights. This allows users to be able to locate accounts that may have more privileges than expected because they are set as the owner of a file or folder. If a user is set as the owner and their effective permissions also allow them to browse or see the file or folder, then they can grant other rights to see items in the folder and below. If you don’t want users to be able to change permissions on files and folders, then you need to ensure that they’re not set as the owner. The owner attribute in most cases should be set to an administrative group so only appropriately privileged accounts can change these permissions.