Owner of a New Object

An object's owner implicitly has WRITE_DAC access to the object. This means that the owner can modify the object's discretionary access control list (DACL), and thus, can control access to the object.

The owner of a new object is the default owner security identifier (SID) from the primary or impersonation token of the creating process. To get or set the default owner in an access token, call the GetTokenInformation or SetTokenInformation function with the TOKEN_OWNER structure. The system does not allow you to set a token's default owner to a SID that is not valid, such as the SID of another user's account.

A process with the SE_TAKE_OWNERSHIP privilege enabled can set itself as the owner of an object. A process with the SE_RESTORE_NAME privilege enabled or with WRITE_OWNER access to the object can set any valid user or group SID as the owner of an object.