Who should be the owner for a user under C:\Users\UserName, Administrators or System?

Question

I noticed that the user folder, C:\Users\User-Name-Here shows Owner as Administrators(PC-NAME\Administrators).

Other users folders show the folder owner as System.

Is this normal? If so what determines the ownership? For example, who owns a domain users local folders vs. a local non-domain PC users local Users folder.

There are behavioral differences that triggered concern:

On the user where I noticed this its because I was exporting and saving the Windows Defender Firewall Policies , and the Save dialog has no icons.

Saving a hello-world.txt file from Notepad, is normal dialog where you can see icons.

That can't be right except if there's some permissions foobar going on, no?

Seems like ownership could cause security confusion/issues.

Answer 1

The FIRST account which is created on a system during initial Windows setup, has "SYSTEM" as an owner of the C:\Users\usnerame\directory, because there is no administrator yet who could create the account. Users who are created subsequently have "Administrators" as Owner: because they were created by an administrator.

By default, the owner is the person who or the process that created the object. Owners can always change permissions to objects, even when they're denied all access to the object.

Source: Windows learn pages

You can change the owner by right-clicking on the folder and selecting: properties -> Security -> Advanced. Then click on "Change" next to the indication of "Owner". See the Screenshot.

On the screenshot, "Y.." on the right was the first user created on the system. From that user, I created admin2

Answer 2

The owner of a folder/file created by a user in Administrators group will be owned by Administrators group by default, but a folder created by a user not in Administrators group is owned by that particular user. This behavior is configurable in Group Policy, and I think starting Windows 10 they started to make it consistent that all files created by users (particularly, users created by human, not system users) are owned by the creator, but I could be wrong...

Not sure for domain users now since I do not have such a setup to confirm.

However, C:\Users contains more than just user profiles, there are also "All Users" (or "Public") and maybe "Default User" (depends on version of Windows), which are respectively the shared files and the user profile template. These can be owned by some system user like System.

Ownership can change after any file/folder is created, so there is no reason why the user profile folder cannot be owned by the correct user/group, no matter when it is created. You can always change it yourself if you have the permissions (e.g., if you are in Administrators). As long as you do not add Denied permissions to your own user profile that denies yourself, you will be fine. Warning the changing ownership recursively could take very long.

Security-wise, if you ask "who SHOULD be" (meaning you want to change it yourself), then the preferred way is to "just keep it as is". For shared systems, changing the owner of user profile folders to the corresponding individual users should be good, too. Keep in mind that permissions are not enough to give you security: Any Administrators user will be able to override these, and anyone that has physical access can easily circumvent this by booting into a different OS.

Answer 3

The problem with the ownership of the C:\Users\username folder is that a newly-created user account is not complete until its first logon.

When the new account is created, the C:\Users\username folder is not yet created, even if the account is created with a password (an account isn't required to have a password when created).

The account is finalized when the user logs on for the first time, and then the folder is created at the beginning of the process. It cannot at that time be marked with the user as the owner, because that requires using the user's password to create its account-token, and the password may not have been created yet.

So Windows at that time needs to set the owner as best it can, which will be "System" for the first administrator and "Administrators" for the following ones. There is no specific reason for that difference, except that this is what the Windows developers decided.

The sub-folders of this folder, such as Documents and Pictures, are created after the password has been created or specified and the login was completed. They can at that time be marked as owned by the user, because at that time the account-token of the user was already created (and will stay available as long as the login session lasts).

The reason for this whole ownership problem is that Windows does not permit itself to use internally the user's password and requires the user to enter it. When the user is in no position to enter the password, Windows will use accounts that are always accessible to it such as System/Administrators.

See this answer of mine that shows that System/Administrators are not real accounts, just well-known Security Identifiers (SIDs) that do not have passwords to be used. Windows can then use these pseudo-accounts freely.