Re: Enterprise Manager and Windows Account

From: BP Margolin (bpmargo@attglobal.net)
Date: 12/03/02 

From: "BP Margolin" <bpmargo@attglobal.net>
Date: Tue, 3 Dec 2002 14:26:02 -0500

Tabassum,

> is there any work around?
Not really. You can do a DENY to the user in the db_owner role, and that
will work, but the user still has the rights to undo the DENY, thus
thwarting your approach.

-------------------------------------------
BP Margolin
Please reply only to the newsgroups.
When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.) which
can be cut and pasted into Query Analyzer is appreciated.

"Tabassum Khan" <tabassum@sys.net.pk> wrote in message
news:OsYnParmCHA.2312@TK2MSFTNGP11...
> giving "db_owner" rights to the new user gives him complete control of
> the database.
>
> is there any work around?
>
> one possible solution that i m thinking of is:
>
> --make an application role
> --add permissions to it (create table etc.)
> --write restore code in VB program
> --deny create table permission to the user
>
> in my opinion, this will prevent the user from restoring that DB from EM
> and Query Analyzer
>
> is that possible???
> any insight will be highly appreciated
>
> regards
> Tabassum
>
>
>
>
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!

Relevant Pages

  • Re: how to restrict users to search in their own Organizational Unit
    ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ...
    (microsoft.public.windows.server.active_directory)
  • Re: Share Permissions: Deny behaviour
    ... Deny overrides all other permissions. ... There are two types of Deny (again goes for share and NTFS). ... explicit allow permission, then you're stuck with implicit deny. ...
    (microsoft.public.windows.server.general)
  • Re: how to restrict users to search in their own Organizational Unit
    ... decided a script can make it possible to accomplish, ... You could also TRY removing the "Authenticated Users" ... Domain level since using a lot of DENY ... permissions is in and of itself a poor practice. ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTFS Security Question.
    ... I was not sure that deleting the special permissions would work but you ... Since Windows 2000 deny NTFS permission does not work ... originally configured "closer" to the object in the chain of folders. ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Exmerge errors
    ... To do this open regedit on the system you are administering Exchange ... A Deny does overrule an allow IF they are both inherited. ... An explicite allow at the store level will over-ride the inherited Deny. ... I cannot see where or how to override these permissions. ...
    (microsoft.public.exchange.admin)