Re: Who can alter User rights ?

There are certain rights that administrators need to have - otherwise you can
be in trouble when something goes wrong. If you want to give users less
rights (only certain specific rights) you can easily create a NEW GROUP then
you can assign whatever rights you want to that group and give whomever you
want to this new group.
I recommend NOT to touch the Admin group's rights.

Laszlo Elteto
SafeNet, Inc.

"Vilius" wrote:

Only those users who are mentioned in "Take ownership of files or other
objects" user right.

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u89WGQs2GHA.4636@xxxxxxxxxxxxxxxxxxxxxxx
Administrators have take ownership privilege, so they can take ownership
of any ACL they are denied access to and then change it.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Vilius" <v_mockunas@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uKo$klq2GHA.324@xxxxxxxxxxxxxxxxxxxxxxx
I think you right.
But my idea was:
user rights are controlled using group policy, I think that group policy
is like front-end, and real control elements are registry keys/values.
And every registry key has it's own permissions. So If I find registry
key which corresponds to particular user right, maybe I can allow more to
one administrative account than other(administrative) accounts using
registry permissions ?
It's my guess basically, but ?

thanks
Vilius


"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:eXy$wFq2GHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
All administrator accounts are created equal. If you can't trust someone
with the rights, take them away.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Vilius wrote:
Hi,
By default administrators can alter user rights.
Any way to control that ?
For example user Administrator can alter user rights, while other users
with administrator privileges don't.

thanks
Vilius







.

Relevant Pages

  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... have many users that are setup so that they can access their ... from the Administrators group, the list of authorized remote users ... Remote tab> Select Remote Users) gets wiped out. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Making Users Power Users, Without Install Privlidges
    ... 'moving' them out of Administrators and back as domain users. ... I found NTRegMon very helpful for ... trapping application rights and such. ... > Grant users registry permissions they need. ...
    (microsoft.public.windows.server.active_directory)
  • Broken Admini Rights
    ... It might be an "Ownershiop" problem, rather than an Admin ... HOW TO Take Ownership of a File or Folder in Windows XP: ... to "Administrators group" instead of "Object Creator". ... >Apparently my Admin rights are bent or broken. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: User rights assignment in XP Pro
    ... >you can add various system rights to users and groups using the Local Security ... all users are currently administrators. ... delete administrators from the list and add power users to it instead. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: New Organizational Unit for a new remote office.
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... EVERY DOMAIN ADMIN IN THE FOREST ...
    (microsoft.public.win2000.active_directory)