Re: Restrict take ownership rights

My response is not changed.
If you could take away take ownership rights for only that folder (you
cannot) the admins could still use the ntbackup back app and then restore
the data somewhere else and look at it.
Your solution is in controlling to where the information is persisted when
it gets stored by the application. The filesystem alone will not meet the
needs you have defined.

Roger

"Gunna" <Gunna@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A91CF94A-BA30-424E-A2A6-5BE66514B08E@xxxxxxxxxxxxxxxx
Roger,

I hear what your saying dont get me wrong. The problem isnt where the
data
is held it's the data is generated on this machine. Backup and restore
isnt
an issue as the data is not being backed up here. Suonds stupid I know.
All
that matter is the data is generated by user who is authorised to log onto
the machine (these are the people who have access to the folder I want to
restrict from local admins), they run an app which generates some data and
then they grab that data and logoff. I need to be sure anyone in local
admin
group cannot just take ownership and give themselves access to the folder
and
therefore the app. And beofre you ask there is no access control built
into
the app otherwise I would use that.

"Roger Abell [MVP]" wrote:

"Gunna" <Gunna@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:98395013-C538-40FF-9DF4-C4CA427B5C2F@xxxxxxxxxxxxxxxx
I know this is a dumb question but i have to ask. Is there anyway I can
restrict members of a XP desktops local administrator group from taking
ownership of a folder. I have given a group access to a folder on a XP
machine and then taken the local administrators group access to the
same
folder away. I want to ensure that local administrators cannot come
along
and elevate their own privilleges by taking ownership.

The folder holds very sensitive data that adminis are not allowed to
access
however they need local admin rights for some other reasons e.g.
applying
patches and general admin. Is there another group on these desktops
that
can
be used for admin purposes like the Server Operators group for servers?

That is not your solution. If the data is that sensitive and the admins
are
not
sufficiently trusted, then find a different place to hold the data or use
rights
management, encryption, or some other means to protect the data.
You may remove the ability of members of the Administrators group to take
ownership, but it is all or none, not something you may selectively
remove
for just the one folder. Anyway, removing that right would not prevent
them
from getting at the data (consider the backup/restore route).

Roger





.

Relevant Pages

  • Re: stupid mistake
    ... If you take ownership of the folder, which you should be able to do as the ... you will have the rights to redo the permissions. ... > admin or as an IT Admin. ...
    (microsoft.public.win2000.security)
  • Re: Restrict take ownership rights
    ... the machine (these are the people who have access to the folder I want to ... I need to be sure anyone in local admin ... ownership of a folder. ... I want to ensure that local administrators cannot come along ...
    (microsoft.public.security)
  • Re: Help - corrupt Profile & unable to open files
    ... Last week my login profile got corrupted. ... Get the same message even as Admin. ... See if taking ownership of the folder and files helps. ... In Help and Support search on ownership or see this KB article. ...
    (microsoft.public.windowsxp.general)
  • Re: Co-Administrator
    ... so an Admin can take ownership of any given folder ... I would like to grant admin rights with a young colleague so that he ...
    (microsoft.public.windows.server.sbs)
  • Re: access users folders
    ... If the admin does not currently have any permissions to access the folder he will ... have to take ownership first. ... in the current operating system. ...
    (microsoft.public.win2000.security)