Re: What right allows full access?

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 08/24/02 

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Fri, 23 Aug 2002 22:43:04 -0700

It was the checking of the option in the advanced edit view
to replace ACL on all child objects that may have made the
being difference.
Without this, you would only need to return to where you
had added permissions for Power Users, and remove what
you added. But, because you did check this, it forces the
ACL to replace any anywhere in the substructure. So, it
there were areas within where inheritance had been stopped
and a different ACL set for inheritance from that point, it
was erased. For example, the install drive has many places
where inheritance changes, so if you did this at the root of
that drive, then you wiped out all variations that had been
set with new inheritance points. To recover from this, you
need to use the install templates to get back to something
close to what was there. 

--
Roger Abell
MS MVP (Windows Platform), MCSE, MCDBA
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone
"Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
news:eBIuxHOSCHA.1676@tkmsftngp12...
> I would not grant Full access to Power Users group if I could make a copy
of
> the Power Users group. I would grant Full access to a copy of Power Users
> group.
> When I granted Full to Power Users I added 'Power Users' group to 'Group
or
> user names:' window on 'Security' tab in 'Local Disk c: Properties'
window.
> I selected 'Power Users' group and checked 'Full control' in 'Allow'
column
> in 'Permissions for Administrators' window. Then I clicked 'advanced'
button
> and checked 'Replace permission entries on all child objects with entries
> shown here that apply to child objects'.
> "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> news:OYal33NSCHA.3772@tkmsftngp08...
> > There is no simple way, and, it depends on what you
> > did when you granted Full to Power Users.
> > You can use the installation template that sets filesystem
> > permissions, but this takes you back to that time, not to
> > a time with accounts created and applications installed,
> > plus whatever other directories you have created.
> > My rule of thumb advise to people is to not change the
> > install defaults on the C: drive and its folders that are
> > loaded during install.
> >
> > You will need to do some reading on the Security
> > Configuration Editor and Toolset to see how to apply
> > a template with the Security Configuration and Analysis
> > MMC snapin.  This last is the tool you would have to use
> > to reset to the install defaults.
> >
> > --
> > Roger Abell
> > MS MVP (Windows Platform), MCSE, MCDBA, MCT
> > Associate Expert - Windows XP ExpertZone
> > http://www.microsoft.com/windowsxp/expertzone
> >
> > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
> > news:eYF#u2BSCHA.1496@tkmsftngp11...
> > > I granted a full access to all disk c: contents to the 'Power users'
> > group.
> > > How to restore the 'Power users' group default permissions?
> > > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> > > news:up3K9EsRCHA.1672@tkmsftngp12...
> > > >
> > > > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
> > > > news:ugTLjRpRCHA.1652@tkmsftngp09...
> > > > > I don't want to run Windows XP as an Administrator because of
> Viruses
> > > and
> > > > > Trojan horses, but want to have access to all files and folders.
> > > >
> > > > So log in as an administrator, and then grant permission to
> > > > the Users group on those areas where your non-admin account
> > > > does not have access.  Log off from the admin account until
> > > > you next need it for something.  This did not involve taking
> > > > ownership.  There are a couple areas where even Administrators
> > > > do not have access granted to them, and for these area only
> > > > taking ownership as an admin _might_ be needed.  But to have
> > > > access as any account outside Administrators usually a grant
> > > > of Change to Users is sufficient.
> > > >
> > > > And yes, while logged in as admin to modify permissions,
> > > > install that anti-virus software and set it to periodically get
> > > > signature file updates.
> > > >
> > > >
> > > > --
> > > > Roger Abell
> > > > MS MVP (Windows Platform), MCSE, MCDBA
> > > > Associate Expert - Windows XP ExpertZone
> > > > http://www.microsoft.com/windowsxp/expertzone
> > > >
> > > >
> > > > > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> > > > > news:eH5AXPmRCHA.3664@tkmsftngp11...
> > > > > > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
> > > > > > news:#Jx9H0jRCHA.2456@tkmsftngp09...
> > > > > > > Should I grant the permission for a group to take ownership
per
> > > disk?
> > > > > >
> > > > > > You can, if that is what you wish.  But why is it so
> > > > > > important for them to be able to take ownership?
> > > > > >
> > > > > > Also, say you go to the root of C: and drill into the
> > > > > > Security tab, advanced view, highlight Everyone
> > > > > > where this group has a grant of Read/Execute, Edit
> > > > > > and scroll down and check to grant the permission
> > > > > > to take ownership, apply, ok, etc.
> > > > > > Afterwards, any account can take ownership of C:
> > > > > > and of file/folders contained in C: except where
> > > > > > inheritance of premissions from the C: root has
> > > > > > been blocked and an new permissions inheritance
> > > > > > point established (such as is the case for most dirs
> > > > > > within a C: that is the install drive).
> > > > > > Suppose someone now takes ownership of C:.
> > > > > > They can now change the permissions at C: to
> > > > > > grant their account and the SYSTEM account
> > > > > > Full Contol, and also say to reset all premissions
> > > > > > from there on down, leaving no other account with
> > > > > > any permissions to anything.  If there were no places
> > > > > > where inheritance was blocked, it would be done.
> > > > > > All of C: would be theirs and theirs alone.  Now,
> > > > > > in fact inheritance is blocked at many points in the
> > > > > > install drive, so they will only get exclusive access
> > > > > > to some of C: and error out when it tries to remove
> > > > > > the inheritance blocks since they do not have the
> > > > > > permissions to do that (unless you had gone out of
> > > > > > your way to make it so that they did have the permission
> > > > > > to take ownership everywhere).  Anyway, you would
> > > > > > end up with a junk system if they did this.
> > > > > > But - that is how to do it.
> > > > > >
> > > > > > --
> > > > > > Roger Abell
> > > > > > MS MVP (Windows Platform), MCSE, MCDBA
> > > > > > Associate Expert - Windows XP ExpertZone
> > > > > > http://www.microsoft.com/windowsxp/expertzone
> > > > > >
> > > > > >
> > > > > > > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> > > > > > > news:euFRBjhRCHA.3648@tkmsftngp11...
> > > > > > > > "Dmitriy Kopnichev" <kopn@hotbox.ru> wrote in message
> > > > > > > > news:u8R78egRCHA.4088@tkmsftngp09...
> > > > > > > > > How to grant the right to Take Ownership of any resource
to
> a
> > > > group
> > > > > > > > account?
> > > > > > > >
> > > > > > > > You cannot.  The permission to take ownership must be
> > > > > > > > granted per resource.  Otherwise, as Bruce indicated, make
> > > > > > > > the accounts members of Administrators.
> > > > > > > >
> > > > > > > > --
> > > > > > > > Roger Abell
> > > > > > > > MS MVP (Windows Platform), MCSE, MCDBA
> > > > > > > > Associate Expert - Windows XP ExpertZone
> > > > > > > > http://www.microsoft.com/windowsxp/expertzone
> > > > > > > >
> > > > > > > >
> > > > > > > > > "BruceS" <bruce@senexet.com> wrote in message
> > > > > > > > > news:3D5CF46B.2010302@senexet.com...
> > > > > > > > > > Technically, it's the right to Take Ownership of any
> > resource.
> > > > If
> > > > > an
> > > > > > > > > > administrator is prevented from accessing something, he
> can
> > > > always
> > > > > > > take
> > > > > > > > > > ownership. As the new owner he can change permissions to
> > give
> > > > > > himself
> > > > > > > > > > access.
> > > > > > > > > > -Bruce
> > > > > > > > > >
> > > > > > > > > > Dmitriy Kopnichev wrote:
> > > > > > > > > >
> > > > > > > > > > > Hello
> > > > > > > > > > > What right allows an administrator account to have a
> full
> > > > access
> > > > > > to
> > > > > > > > all
> > > > > > > > > > > files?
> > > > > > > > > > > --
> > > > > > > > > > > Please, click Message menu, then 'Reply to all' in
> Outlook
> > > > > > Express.
> > > > > > > > This
> > > > > > > > > > > sends your reply to the newsgroups and to
> > > > > > > > > > > my email address at the same time. Or reply to the
> > > newsgroups
> > > > > and
> > > > > > my
> > > > > > > > > e-mail.
> > > > > > > > > > > Mr. Dmitriy Kopnichev
> > > > > > > > > > > e-mail: kopn@hotbox.ru
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>