Re: Administrator rights to folder
From: Tomppa (tofors99_at_hotmail.com)
Date: 03/09/04
- Previous message: Roger Abell: "Re: syncronise workstation / server logon while not in domain"
- In reply to: Drew Cooper [MSFT]: "Re: Administrator rights to folder"
- Next in thread: Drew Cooper [MSFT]: "Re: Administrator rights to folder"
- Reply: Drew Cooper [MSFT]: "Re: Administrator rights to folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Mar 2004 08:51:25 +0200
The Audit Object Access is grey and canīt be changed and I have a lot of
error 1030 and 1058 in the application log. Have tried to fix 1030,1058 no
luck.
Any ideas?
Tomppa
"Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i meddelandet
news:OqZQm9UBEHA.3852@TK2MSFTNGP10.phx.gbl...
> There's pretty good documentation about how auditing works. Here's one
> example of the Win2k docs:
>
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/acl_audit_file_folder.htm
>
> Help and Support on XP/Server 2003 is actually helpful, too. Or you can
> always google for more information ("site:microsoft.com" will give you
only
> hits from Microsoft).
> --
> Drew Cooper [MSFT]
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Tomppa" <tofors99@hotmail.com> wrote in message
> news:Ope92FRBEHA.1600@tk2msftngp13.phx.gbl...
> > Hi!
> > Auditing sound like a good start. Have activated auting on a test folder
> for
> > the administrator. But what do I have to do more, to get success/failure
> > events in the event log?
> >
> > Tomppa
> >
> >
> > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i meddelandet
> > news:%23UatYqvAEHA.2800@tk2msftngp13.phx.gbl...
> > > Regardless, a domain admin can install a keystroke logger or a filter
> > driver
> > > that snoops files as they are opened. Encryption doesn't really stop
an
> > > admin if the file is ever opened again (or, perhaps if the user ever
> logs
> > > onto a domain machine again).
> > > If you want to see what your admins do to files, use auditing. Even
if
> > they
> > > clear the log, there will be a log of their clearing it.
> > > If you don't trust them at all they probably shouldn't be admins.
> > > --
> > > Drew Cooper [MSFT]
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > >
> > > "Dusko Savatovic" <savatovic.removespam@hotmail.com> wrote in message
> > > news:e6E90$rAEHA.3352@TK2MSFTNGP09.phx.gbl...
> > > > They can hide stuff if they use encryption.
> > > > However, if they use EFS in domain environment, it might be possible
> for
> > > > domain admins to recover encrypted content.
> > > >
> > > > In order to prevent casual recovery in domain environment, the
> creation
> > of
> > > > recovery agents should be strictly monitored and EFS recovery
> > certificate
> > > > should be exported (with option "Delete private key if export is
> > > > successful") from the user Administrator of the
> > > > First-root-domain-controller.
> > > >
> > > > Also, the security is not just setting permissions and encryption.
It
> is
> > a
> > > > process of constant monitoring, evaluation and adaptation to new
> > > situations.
> > > > Think of it as leaving expensive, secure ATM full of money in the
open
> > > field
> > > > without any supervision.
> > > >
> > > > Dusko Savatovic
> > > >
> > > >
> > > >
> > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > news:O2DHX9nAEHA.1452@TK2MSFTNGP09.phx.gbl...
> > > > > So the companyīs "leadgroup" canīt "hide" anything from the domain
> > > > > admin.......
> > > > >
> > > > > Tomppa
> > > > >
> > > > > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i
> meddelandet
> > > > > news:ezdI5niAEHA.2316@TK2MSFTNGP10.phx.gbl...
> > > > > > You can't. That's what it means to be a domain administrator.
> > > > > > --
> > > > > > Drew Cooper [MSFT]
> > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > rights.
> > > > > >
> > > > > >
> > > > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > > > news:OlLaG4eAEHA.1456@TK2MSFTNGP09.phx.gbl...
> > > > > > > Hi
> > > > > > >
> > > > > > > Can I prevent a Domain admin to have access to a folder on the
> DC?
> > > > > > > If I only give access to user "Bill" the administra still can
> > right
> > > > > click
> > > > > > > the folder and give himself more rights.
> > > > > > >
> > > > > > > Tomppa
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Previous message: Roger Abell: "Re: syncronise workstation / server logon while not in domain"
- In reply to: Drew Cooper [MSFT]: "Re: Administrator rights to folder"
- Next in thread: Drew Cooper [MSFT]: "Re: Administrator rights to folder"
- Reply: Drew Cooper [MSFT]: "Re: Administrator rights to folder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
