Re: What right allows full access?
From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 08/21/02
- Next message: Roger Abell [MVP]: "Re: How to make a copy of a 'Power User' Group?"
- Previous message: The Atomic Ass: "Re: Help! Where are these cookies from?"
- In reply to: Dmitriy Kopnichev: "Re: What right allows full access?"
- Next in thread: Dmitriy Kopnichev: "Re: What right allows full access?"
- Reply: Dmitriy Kopnichev: "Re: What right allows full access?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> Date: Tue, 20 Aug 2002 23:45:04 -0700
There is no simple way, and, it depends on what you
did when you granted Full to Power Users.
You can use the installation template that sets filesystem
permissions, but this takes you back to that time, not to
a time with accounts created and applications installed,
plus whatever other directories you have created.
My rule of thumb advise to people is to not change the
install defaults on the C: drive and its folders that are
loaded during install.
You will need to do some reading on the Security
Configuration Editor and Toolset to see how to apply
a template with the Security Configuration and Analysis
MMC snapin. This last is the tool you would have to use
to reset to the install defaults.
-- Roger Abell MS MVP (Windows Platform), MCSE, MCDBA, MCT Associate Expert - Windows XP ExpertZone http://www.microsoft.com/windowsxp/expertzone "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message news:eYF#u2BSCHA.1496@tkmsftngp11... > I granted a full access to all disk c: contents to the 'Power users' group. > How to restore the 'Power users' group default permissions? > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message > news:up3K9EsRCHA.1672@tkmsftngp12... > > > > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message > > news:ugTLjRpRCHA.1652@tkmsftngp09... > > > I don't want to run Windows XP as an Administrator because of Viruses > and > > > Trojan horses, but want to have access to all files and folders. > > > > So log in as an administrator, and then grant permission to > > the Users group on those areas where your non-admin account > > does not have access. Log off from the admin account until > > you next need it for something. This did not involve taking > > ownership. There are a couple areas where even Administrators > > do not have access granted to them, and for these area only > > taking ownership as an admin _might_ be needed. But to have > > access as any account outside Administrators usually a grant > > of Change to Users is sufficient. > > > > And yes, while logged in as admin to modify permissions, > > install that anti-virus software and set it to periodically get > > signature file updates. > > > > > > -- > > Roger Abell > > MS MVP (Windows Platform), MCSE, MCDBA > > Associate Expert - Windows XP ExpertZone > > http://www.microsoft.com/windowsxp/expertzone > > > > > > > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message > > > news:eH5AXPmRCHA.3664@tkmsftngp11... > > > > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message > > > > news:#Jx9H0jRCHA.2456@tkmsftngp09... > > > > > Should I grant the permission for a group to take ownership per > disk? > > > > > > > > You can, if that is what you wish. But why is it so > > > > important for them to be able to take ownership? > > > > > > > > Also, say you go to the root of C: and drill into the > > > > Security tab, advanced view, highlight Everyone > > > > where this group has a grant of Read/Execute, Edit > > > > and scroll down and check to grant the permission > > > > to take ownership, apply, ok, etc. > > > > Afterwards, any account can take ownership of C: > > > > and of file/folders contained in C: except where > > > > inheritance of premissions from the C: root has > > > > been blocked and an new permissions inheritance > > > > point established (such as is the case for most dirs > > > > within a C: that is the install drive). > > > > Suppose someone now takes ownership of C:. > > > > They can now change the permissions at C: to > > > > grant their account and the SYSTEM account > > > > Full Contol, and also say to reset all premissions > > > > from there on down, leaving no other account with > > > > any permissions to anything. If there were no places > > > > where inheritance was blocked, it would be done. > > > > All of C: would be theirs and theirs alone. Now, > > > > in fact inheritance is blocked at many points in the > > > > install drive, so they will only get exclusive access > > > > to some of C: and error out when it tries to remove > > > > the inheritance blocks since they do not have the > > > > permissions to do that (unless you had gone out of > > > > your way to make it so that they did have the permission > > > > to take ownership everywhere). Anyway, you would > > > > end up with a junk system if they did this. > > > > But - that is how to do it. > > > > > > > > -- > > > > Roger Abell > > > > MS MVP (Windows Platform), MCSE, MCDBA > > > > Associate Expert - Windows XP ExpertZone > > > > http://www.microsoft.com/windowsxp/expertzone > > > > > > > > > > > > > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message > > > > > news:euFRBjhRCHA.3648@tkmsftngp11... > > > > > > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message > > > > > > news:u8R78egRCHA.4088@tkmsftngp09... > > > > > > > How to grant the right to Take Ownership of any resource to a > > group > > > > > > account? > > > > > > > > > > > > You cannot. The permission to take ownership must be > > > > > > granted per resource. Otherwise, as Bruce indicated, make > > > > > > the accounts members of Administrators. > > > > > > > > > > > > -- > > > > > > Roger Abell > > > > > > MS MVP (Windows Platform), MCSE, MCDBA > > > > > > Associate Expert - Windows XP ExpertZone > > > > > > http://www.microsoft.com/windowsxp/expertzone > > > > > > > > > > > > > > > > > > > "BruceS" <bruce@senexet.com> wrote in message > > > > > > > news:3D5CF46B.2010302@senexet.com... > > > > > > > > Technically, it's the right to Take Ownership of any resource. > > If > > > an > > > > > > > > administrator is prevented from accessing something, he can > > always > > > > > take > > > > > > > > ownership. As the new owner he can change permissions to give > > > > himself > > > > > > > > access. > > > > > > > > -Bruce > > > > > > > > > > > > > > > > Dmitriy Kopnichev wrote: > > > > > > > > > > > > > > > > > Hello > > > > > > > > > What right allows an administrator account to have a full > > access > > > > to > > > > > > all > > > > > > > > > files? > > > > > > > > > -- > > > > > > > > > Please, click Message menu, then 'Reply to all' in Outlook > > > > Express. > > > > > > This > > > > > > > > > sends your reply to the newsgroups and to > > > > > > > > > my email address at the same time. Or reply to the > newsgroups > > > and > > > > my > > > > > > > e-mail. > > > > > > > > > Mr. Dmitriy Kopnichev > > > > > > > > > e-mail: kopn@hotbox.ru > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Roger Abell [MVP]: "Re: How to make a copy of a 'Power User' Group?"
- Previous message: The Atomic Ass: "Re: Help! Where are these cookies from?"
- In reply to: Dmitriy Kopnichev: "Re: What right allows full access?"
- Next in thread: Dmitriy Kopnichev: "Re: What right allows full access?"
- Reply: Dmitriy Kopnichev: "Re: What right allows full access?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
