Re: What right allows full access?

From: Dmitriy Kopnichev (kopn@hotbox.ru)
Date: 08/18/02

Next message: Walter Clayton: "Re: they were there before. Re: not using fast user switching. Re: Logs off after choosing a built-in guest account"
Previous message: Dmitriy Kopnichev: "Re: they were there before. Re: not using fast user switching. Re: Logs off after choosing a built-in guest account"
In reply to: Roger Abell [MVP]: "Re: What right allows full access?"
Next in thread: Shenan: "Re: What right allows full access?"
Reply: Shenan: "Re: What right allows full access?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Dmitriy Kopnichev" <kopn@hotbox.ru>
Date: Sun, 18 Aug 2002 20:59:37 +0400

How to grant permission to the Users group on those areas where my non-admin
account does not have access?
"Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
news:up3K9EsRCHA.1672@tkmsftngp12...
>
> "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
> news:ugTLjRpRCHA.1652@tkmsftngp09...
> > I don't want to run Windows XP as an Administrator because of Viruses
and
> > Trojan horses, but want to have access to all files and folders.
>
> So log in as an administrator, and then grant permission to
> the Users group on those areas where your non-admin account
> does not have access. Log off from the admin account until
> you next need it for something. This did not involve taking
> ownership. There are a couple areas where even Administrators
> do not have access granted to them, and for these area only
> taking ownership as an admin _might_ be needed. But to have
> access as any account outside Administrators usually a grant
> of Change to Users is sufficient.
>
> And yes, while logged in as admin to modify permissions,
> install that anti-virus software and set it to periodically get
> signature file updates.
>
>
> --
> Roger Abell
> MS MVP (Windows Platform), MCSE, MCDBA
> Associate Expert - Windows XP ExpertZone
> http://www.microsoft.com/windowsxp/expertzone
>
>
> > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> > news:eH5AXPmRCHA.3664@tkmsftngp11...
> > > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
> > > news:#Jx9H0jRCHA.2456@tkmsftngp09...
> > > > Should I grant the permission for a group to take ownership per
disk?
> > >
> > > You can, if that is what you wish. But why is it so
> > > important for them to be able to take ownership?
> > >
> > > Also, say you go to the root of C: and drill into the
> > > Security tab, advanced view, highlight Everyone
> > > where this group has a grant of Read/Execute, Edit
> > > and scroll down and check to grant the permission
> > > to take ownership, apply, ok, etc.
> > > Afterwards, any account can take ownership of C:
> > > and of file/folders contained in C: except where
> > > inheritance of premissions from the C: root has
> > > been blocked and an new permissions inheritance
> > > point established (such as is the case for most dirs
> > > within a C: that is the install drive).
> > > Suppose someone now takes ownership of C:.
> > > They can now change the permissions at C: to
> > > grant their account and the SYSTEM account
> > > Full Contol, and also say to reset all premissions
> > > from there on down, leaving no other account with
> > > any permissions to anything. If there were no places
> > > where inheritance was blocked, it would be done.
> > > All of C: would be theirs and theirs alone. Now,
> > > in fact inheritance is blocked at many points in the
> > > install drive, so they will only get exclusive access
> > > to some of C: and error out when it tries to remove
> > > the inheritance blocks since they do not have the
> > > permissions to do that (unless you had gone out of
> > > your way to make it so that they did have the permission
> > > to take ownership everywhere). Anyway, you would
> > > end up with a junk system if they did this.
> > > But - that is how to do it.
> > >
> > > --
> > > Roger Abell
> > > MS MVP (Windows Platform), MCSE, MCDBA
> > > Associate Expert - Windows XP ExpertZone
> > > http://www.microsoft.com/windowsxp/expertzone
> > >
> > >
> > > > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> > > > news:euFRBjhRCHA.3648@tkmsftngp11...
> > > > > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
> > > > > news:u8R78egRCHA.4088@tkmsftngp09...
> > > > > > How to grant the right to Take Ownership of any resource to a
> group
> > > > > account?
> > > > >
> > > > > You cannot. The permission to take ownership must be
> > > > > granted per resource. Otherwise, as Bruce indicated, make
> > > > > the accounts members of Administrators.
> > > > >
> > > > > --
> > > > > Roger Abell
> > > > > MS MVP (Windows Platform), MCSE, MCDBA
> > > > > Associate Expert - Windows XP ExpertZone
> > > > > http://www.microsoft.com/windowsxp/expertzone
> > > > >
> > > > >
> > > > > > "BruceS" <bruce@senexet.com> wrote in message
> > > > > > news:3D5CF46B.2010302@senexet.com...
> > > > > > > Technically, it's the right to Take Ownership of any resource.
> If
> > an
> > > > > > > administrator is prevented from accessing something, he can
> always
> > > > take
> > > > > > > ownership. As the new owner he can change permissions to give
> > > himself
> > > > > > > access.
> > > > > > > -Bruce
> > > > > > >
> > > > > > > Dmitriy Kopnichev wrote:
> > > > > > >
> > > > > > > > Hello
> > > > > > > > What right allows an administrator account to have a full
> access
> > > to
> > > > > all
> > > > > > > > files?
> > > > > > > > --
> > > > > > > > Please, click Message menu, then 'Reply to all' in Outlook
> > > Express.
> > > > > This
> > > > > > > > sends your reply to the newsgroups and to
> > > > > > > > my email address at the same time. Or reply to the
newsgroups
> > and
> > > my
> > > > > > e-mail.
> > > > > > > > Mr. Dmitriy Kopnichev
> > > > > > > > e-mail: kopn@hotbox.ru
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Next message: Walter Clayton: "Re: they were there before. Re: not using fast user switching. Re: Logs off after choosing a built-in guest account"
Previous message: Dmitriy Kopnichev: "Re: they were there before. Re: not using fast user switching. Re: Logs off after choosing a built-in guest account"
In reply to: Roger Abell [MVP]: "Re: What right allows full access?"
Next in thread: Shenan: "Re: What right allows full access?"
Reply: Shenan: "Re: What right allows full access?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: What right allows full access?
... >> Should I grant the permission for a group to take ownership per disk? ... any account can take ownership of C: ... > inheritance of premissions from the C: ...
(microsoft.public.windowsxp.security_admin)
Re: Super Calendar User Only?
... in E2000 and E2003 you must grant an account or group this permission ... > to open up their calendars to the company and want to ...
(microsoft.public.exchange.admin)
RE: User name password dialogue box
... If you site doesn't grant the permission to one account and disable the ... Right-click the 1033 folder to open the folder property dialog. ...
(microsoft.public.sharepoint.portalserver.development)
Re: IIS 6 Network Service Account vs. IIS 5 IWAM_<MachineName>
... You can create a new domain account and set it as this application ... Then grant this domain account with appropriate ... To make the new account has proper permission to act as an IIS ...
(microsoft.public.inetserver.iis)
Re: What right allows full access?
... > Should I grant the permission for a group to take ownership per disk? ... any account can take ownership of C: ...
(microsoft.public.windowsxp.security_admin)