Win7 - anyone know why MS removed this group policy setting ?

I've been playing around with SuRun where there is an option to set default owner for objects created by Admins to Administrators group, rather than object creator (ie. the admin user) this during install. After a bit of research, it appears MS have removed this group policy setting, although it can be enabled again:

http://support.microsoft.com/kb/947721


I understand the obvious reasons for why setting default owner to Admin group could be useful (ie. user in Admin group is removed from Admin group, but then still has access to files created while admin), but am wondering if this is useful for someone running plain Win 7 x64 Ultimate, with SUA for most work, elevating to an admin account when needed, and AppLocker/SRP (ie. is it a good idea to set default owner for objects created by Admins to Administrators group, rather than object creator ?) ?

 

See http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx for a discussion of this setting. I would guess that by removing this setting (and having the Administrators group be the default owner for objects created by any member of the Administrators group) Microsoft has made it easier to demote an admin account to standard user without having security issues related to ownership.

 

Well, the approach chosen in W7 has its own quirks as well, though more like on the opposite site than XP.

 

This makes it tougher for programs (malware included) to modify/delete critical Windows files, which IMHO is a good thing . This approach is used in Vista also.