Re: USERS group has the ability to change security permissions???
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/08/05
- Next message: Herb Martin: "Re: Volume Shadow Copy"
- Previous message: David Beder [MSFT]: "Re: IPSEC not working"
- In reply to: Silly: "Re: USERS group has the ability to change security permissions???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 8 May 2005 02:35:08 -0700
Good you have it sorted. Although per MS it was your mistake,
in my view it is MS's mistake that the ACL editor is now doing
this, unlike earlier versions of Windows, but so far I have not
found the right ear in MS to do something about it.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Silly" <Silly@discussions.microsoft.com> wrote in message news:4CA99A4F-7CF0-41FE-B8B2-F5D1CC36D7E2@microsoft.com... > okay... it was my mistake. i found out that when reconfiguring the NTFS > permissions, the "Everyone" group had to be deleted and then re-added, in > order for the generic grants (i.e. delete subfolders and files, delete, > change permissions, take ownership, etc) to be removed. thanks again you all > for looking into this. > > "Roger Abell" wrote: > > > Have you used the Advanced view in the NTFS permisssions > > dialog to make sure that there are no grants you have been > > overlooking due to only viewing the generic grants ? > > > > Please open a cmd window, navigate (cd) to the root folder of > > such a location as ones you say Users are able to do this, but > > NTFS is showing that they should not, and then run > > cacls > > and post the output. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Silly" <Silly@discussions.microsoft.com> wrote in message > > news:BC5E9146-841C-4325-87F3-8E50B130D446@microsoft.com... > > > no, the users are not belong to any of the power users or administrators, > > AND > > > the NTFS permissions are set on local disks using those of Windows XP as > > the > > > followings: > > > > > > - Administrators: Full Control > > > - Creator Owner: Full Control (Subfolders and Files) > > > - System: Full Control > > > - Users: Read & Execute (This Folder, Subfolders, and Files) > > > - Users: Create Folders / Append Date (This Folder and Subfolders) > > > - Users: Create Files / Write Data (Subfolders Only) > > > - Everyone: Read & Execute > > > > > > I'll set up a clean machine tomorrow and test it against what I found > > today, > > > and will keep you posted. Thanks for checking this. > > > > > > "Steven L Umbach" wrote: > > > > > > > Are the users local administrators?? If so you will not be able to > > > > effectively stop them from changing permissions. Assuming they are not > > you > > > > can modify permissions so that the user can not change permissions. A > > user > > > > needs change permissions, full control, or be owner to change > > permissions. > > > > You should check the permissions of an XP Pro or Windows 2003 Server > > > > computer to get an idea of good default ntfs permissions where by > > default a > > > > regular user can change permissions only on their profile older. --- > > Steve > > > > > > > > > > > > "Silly" <Silly@discussions.microsoft.com> wrote in message > > > > news:C1199C1D-15D2-4F41-9A01-818C7BDE0302@microsoft.com... > > > > > hi all, > > > > > > > > > > i've just learned today that if a user can get access to computer > > > > > management > > > > > console, he/she can go to the "logical drives" and change the NTFS > > > > > permissions set on local hard disks. Besides remove permissions set > > on > > > > > the > > > > > "compmgmt.msc" for users, power users, and everyone groups, is there > > any > > > > > other way that i can set or disable so that the user won't have the > > > > > ability > > > > > to mess up with permissions again. > > > > > > > > > > i am still really confused that the user can just have the ability to > > > > > change > > > > > NTFS permissions like that. please help!!! > > > > > > > > > > > > > > > > > >
- Next message: Herb Martin: "Re: Volume Shadow Copy"
- Previous message: David Beder [MSFT]: "Re: IPSEC not working"
- In reply to: Silly: "Re: USERS group has the ability to change security permissions???"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
