Re: Who can alter User rights ?

---

• From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sun, 17 Sep 2006 20:44:44 -0500

---

Administrators have take ownership privilege, so they can take ownership of
any ACL they are denied access to and then change it.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Vilius" <v_mockunas@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uKo$klq2GHA.324@xxxxxxxxxxxxxxxxxxxxxxx

I think you right.
But my idea was:
user rights are controlled using group policy, I think that group policy
is like front-end, and real control elements are registry keys/values. And
every registry key has it's own permissions. So If I find registry key
which corresponds to particular user right, maybe I can allow more to one
administrative account than other(administrative) accounts using registry
permissions ?
It's my guess basically, but ?

thanks
Vilius


"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eXy$wFq2GHA.1256@xxxxxxxxxxxxxxxxxxxxxxx

All administrator accounts are created equal. If you can't trust someone
with the rights, take them away.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Vilius wrote:

Hi,
By default administrators can alter user rights.
Any way to control that ?
For example user Administrator can alter user rights, while other users
with administrator privileges don't.

thanks
Vilius

.

---

• Follow-Ups:
  • Re: Who can alter User rights ?
    • From: Vilius

• References:
  • Who can alter User rights ?
    • From: Vilius
  • Re: Who can alter User rights ?
    • From: Joe Richards [MVP]
  • Re: Who can alter User rights ?
    • From: Vilius

• Prev by Date: Re: Who can alter User rights ?
• Next by Date: Re: Converting Diffie-Hellman Session keys to CALG_AES_128
• Previous by thread: Re: Who can alter User rights ?
• Next by thread: Re: Who can alter User rights ?
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: RESPONSE: Users "bypassing" Group Policy restrictions ... The owner of a file/reg key can change its permissions. ... This security setting determines which users can take ownership of any ... What if he removes local 'Administrators' group from having this right ... permissions to the registry key which applies ... (Focus-Microsoft) Re: Administrator rights for legacy appliations ... > you can add these users to Power Users group, and add Power Users group to ... > have the permission to access the registry key or system files. ... > Please understand that Administrators group has much more powers than ... (microsoft.public.windows.terminal_services) RE: Re-installed XP Pro - admin accounts now blocked ... I would start by checking group policy to make sure the administrators ... User Rights Assignments. ... <10 days ago I performed a repair installation of XP Pro after upgrading ... (microsoft.public.windowsxp.setup_deployment) Re: Cannot set default printer ... Elevating user rights can actually make the problem worse, ... Microsoft MVP - Terminal Server ... Adding users to the administrators group is not the answer. ... (microsoft.public.windows.terminal_services) Re: Allow ONLY Domain Admin to login to XP ... Again the only way you can do that is by modifying the user rights for logon ... administrators then only users/groups in the local administrators group on ... --- Steve ... I just want domain users to be prevented from logging into a certain XP ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)