Re: MMC - admin locked out too

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 12/29/02 

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Sun, 29 Dec 2002 08:09:35 -0700

Sam,

I probably should have added that the Deny is used here
as it prevents reading of the content, and hence keeps
policy from being applied. Removing all permissions
granted to Administrators would also do this, but one
would need to remove grants to all groups that include
admin accounts, which would lead to interrupting it for
all other accounts, etc., unless a custom group is defined
and granted permissions for all of those other accounts.
Using the Deny overrides the grants made to admins in
a more simple way. 

--
Roger
"Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
news:eLtTfp0rCHA.2296@TK2MSFTNGP09...
> You have good points, and it is great to use caution.
>
> Taking the second first, Administrators do not get
> badly hosed up and locked out from this because
> they own the folder and its contents.  An Owner can
> always change the permissions of what they own, even
> when they have no permissions on it or as in this case
> even when they are explicitly denied the permissions
> (even the permission to alter permissions).
> This is one of those more obscure corners of how Windows
> NTFS permissions work, but a corner that is all important
> at times.
>
> To set the deny of Full Control you do not need to access
> the Advanced dialog within the Security tab of the filesystem
> object's properties.  Assuming the simplified share is shut off
> so one does get the separate Security tab in the properties,
> then one just highlights Administrators and checks under
> the Deny column for the Full Control line.
>
> ( Folks reading this thread should note that this is for Pro,
> and this method is not of use for Home edition since one is
> not manipulating the local group policies there anyway, and
> one cannot get at this dialog in a normal boot. )
>
> --
> Roger
>
> "Sam" <scams@msn.com> wrote in message
news:#P7Pq#zrCHA.2308@TK2MSFTNGP09...
> > Roger, I would appreciate a clarification about using the "Deny of Full
> > Control for the Administrators."  First, regarding how to apply the Deny
> of
> > Full Control for the Administrators, I right clicked on the
> windows/system32
> > folder, selected properties, and checked both tabs (General and Security
> > tabs) and then clicked on the Advanced button on the Security tab, but
> still
> > could not find (or did not see) how to apply the Deny of Full Control
for
> > the Administrators.
> >
> > Second, if one applies the "DENY OF FULL CONTROL for the
Administrators,"
> it
> > would literally appear by the name description, that this "completely"
> locks
> > out the Administrators and thus prevents the Administrators from ever
> > changing back to the original value or access.  I am not questioning the
> > validity of your comments, I am concerned that I have missed something
> > and/or understanding about using the Deny of Full Control for the
> > Administrators.  I don't want to lock out the Administrator/User
account!
> > Thanks for any clarification, Sam.
> >
> >
> > "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> wrote in message
> > news:u4HOUptrCHA.1632@TK2MSFTNGP12...
> > > As an alternative to your predicament, locate the
> > > GroupPolicies folder in Windows\System32 and
> > > set a Deny of Full Control for the Administrators
> > > Then, log off and back in as an admin, remove
> > > the Deny, and edit local policy to remove what
> > > you do not want applied to _all_ users, including
> > > Administrators.
> > >
> > > If you are not interoperating with Windows 2000
> > > systems you probably do not want to weaken the
> > > XP system by enabling any of the old W2k behaviors.
> > >
> > > --
> > > Roger
> > >
> > > "ericB" <Cyber-Fiend@pacbell.net> wrote in message
> > > news:018d01c2aed4$88bbbd20$d6f82ecf@TK2MSFTNGXA13...
> > > > I'm on my PC, a standalone PC, running WinXP, with one
> > > > Administrator acct, two accts with admin privileges, one
> > > > acct with user privileges & the guest acct.  I was in
> > > > MMC.  I created a new console for security & was in
> > > > group/local policies, setting restrictions on what could
> > > > be done on the computer by users.  EVERYTHING I set said
> > > > it was supposed to affect what users could or could not
> > > > do.  Such as restricting running MMC, no "Run" or command
> > > > line, etc.  I only wanted admins to have those
> > > > privileges.  When I closed MMC, now, even I can't get to
> > > > cmd line, Run cmd, or open MMC.  It keeps saying talk to
> > > > your system administrator.   I AM the system
> > > > administrator.  What happened?
> > > >
> > > > Did I mess up by setting those things that said something
> > > > about "they work in Win 2000" ?  Was I only supposed to
> > > > set the one's that said WinXP?  Please help.
> > > >
> > > > 1.  How do I get the Run cmd to work now?
> > > > 2. After doing so, how do i get MMC to recognize my admin
> > > > password?
> > > >
> > > > thanks
> > > > ericB
> > >
> > >
> >
> >
>
>