Re: What right allows full access?

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 08/18/02 

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Sat, 17 Aug 2002 20:05:03 -0700

"Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
news:#Jx9H0jRCHA.2456@tkmsftngp09...
> Should I grant the permission for a group to take ownership per disk?

You can, if that is what you wish. But why is it so
important for them to be able to take ownership?

Also, say you go to the root of C: and drill into the
Security tab, advanced view, highlight Everyone
where this group has a grant of Read/Execute, Edit
and scroll down and check to grant the permission
to take ownership, apply, ok, etc.
Afterwards, any account can take ownership of C:
and of file/folders contained in C: except where
inheritance of premissions from the C: root has
been blocked and an new permissions inheritance
point established (such as is the case for most dirs
within a C: that is the install drive).
Suppose someone now takes ownership of C:.
They can now change the permissions at C: to
grant their account and the SYSTEM account
Full Contol, and also say to reset all premissions
from there on down, leaving no other account with
any permissions to anything. If there were no places
where inheritance was blocked, it would be done.
All of C: would be theirs and theirs alone. Now,
in fact inheritance is blocked at many points in the
install drive, so they will only get exclusive access
to some of C: and error out when it tries to remove
the inheritance blocks since they do not have the
permissions to do that (unless you had gone out of
your way to make it so that they did have the permission
to take ownership everywhere). Anyway, you would
end up with a junk system if they did this.
But - that is how to do it. 

--
Roger Abell
MS MVP (Windows Platform), MCSE, MCDBA
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone
> "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> news:euFRBjhRCHA.3648@tkmsftngp11...
> > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
> > news:u8R78egRCHA.4088@tkmsftngp09...
> > > How to grant the right to Take Ownership of any resource to a group
> > account?
> >
> > You cannot.  The permission to take ownership must be
> > granted per resource.  Otherwise, as Bruce indicated, make
> > the accounts members of Administrators.
> >
> > --
> > Roger Abell
> > MS MVP (Windows Platform), MCSE, MCDBA
> > Associate Expert - Windows XP ExpertZone
> > http://www.microsoft.com/windowsxp/expertzone
> >
> >
> > > "BruceS" <bruce@senexet.com> wrote in message
> > > news:3D5CF46B.2010302@senexet.com...
> > > > Technically, it's the right to Take Ownership of any resource. If an
> > > > administrator is prevented from accessing something, he can always
> take
> > > > ownership. As the new owner he can change permissions to give
himself
> > > > access.
> > > > -Bruce
> > > >
> > > > Dmitriy Kopnichev wrote:
> > > >
> > > > > Hello
> > > > > What right allows an administrator account to have a full access
to
> > all
> > > > > files?
> > > > > --
> > > > > Please, click Message menu, then 'Reply to all' in Outlook
Express.
> > This
> > > > > sends your reply to the newsgroups and to
> > > > > my email address at the same time. Or reply to the newsgroups and
my
> > > e-mail.
> > > > > Mr. Dmitriy Kopnichev
> > > > > e-mail: kopn@hotbox.ru
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>