Re: Who can alter User rights ?

Only those users who are mentioned in "Take ownership of files or other
objects" user right.

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u89WGQs2GHA.4636@xxxxxxxxxxxxxxxxxxxxxxx
Administrators have take ownership privilege, so they can take ownership
of any ACL they are denied access to and then change it.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Vilius" <v_mockunas@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uKo$klq2GHA.324@xxxxxxxxxxxxxxxxxxxxxxx
I think you right.
But my idea was:
user rights are controlled using group policy, I think that group policy
is like front-end, and real control elements are registry keys/values.
And every registry key has it's own permissions. So If I find registry
key which corresponds to particular user right, maybe I can allow more to
one administrative account than other(administrative) accounts using
registry permissions ?
It's my guess basically, but ?

thanks
Vilius


"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eXy$wFq2GHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
All administrator accounts are created equal. If you can't trust someone
with the rights, take them away.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Vilius wrote:
Hi,
By default administrators can alter user rights.
Any way to control that ?
For example user Administrator can alter user rights, while other users
with administrator privileges don't.

thanks
Vilius






.

Relevant Pages

  • Re: Non admin users cant do things they need to do
    ... You mean they are along with the registry entires? ... i added the keys below to the registry (as administrator) logged off, ... can set the time then they can fake out system event logs by changing ...
    (microsoft.public.windowsxp.embedded)
  • Re: Help encrypt conn string - no ASP, no server, cant protect keys, cant use Windows Authentica
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... also considered putting it in the normal location in the registry as you ... Installer property with the result and your installer can then just ...
    (microsoft.public.dotnet.security)
  • Re: How do I find out if Im the system administrator for my perso
    ... registered as the system administrator for this machine. ... password when I'm installing new software and under some other ... I was never asked to establish an administrator's account or password ... The reason for my question is that I'm about to have to edit my registry ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Non admin users cant do things they need to do
    ... only the administrator can. ... Could it be tht we're just missing a load of registry settings for our ... can set the time then they can fake out system event logs by changing ...
    (microsoft.public.windowsxp.embedded)
  • Re: Non admin users cant do things they need to do
    ... i added the keys below to the registry (as administrator) logged off, ... can set the time then they can fake out system event logs by changing ...
    (microsoft.public.windowsxp.embedded)