Re: How to prevent ownership change by users with admin rights?
From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 05/28/05
- Next message: Mark Daly: "Restrict user to use only Internet Explorer"
- Previous message: dhanna: "Re: Problems installing Norton I S 2005"
- In reply to: nolonemo_at_yahoo.com: "How to prevent ownership change by users with admin rights?"
- Next in thread: nolonemo_at_yahoo.com: "Re: How to prevent ownership change by users with admin rights?"
- Reply: nolonemo_at_yahoo.com: "Re: How to prevent ownership change by users with admin rights?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 28 May 2005 13:14:01 -0400
The User Accounts applet only allows Administrator and Limited. Click Start, Run and enter LUSRMGR.MSC and you can change the group membership here to Power User or any other valid user type. You can also do this from Start, Run and entering
CONTROL USERPASSWORDS2 Highlight the username, select Properties, Group Membership.
-- Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security Win 95/98/Me/XP Tweaks and Fixes http://www.dougknox.com -------------------------------- Per user Group Policy Restrictions for XP Home and XP Pro http://www.dougknox.com/xp/utils/xp_securityconsole.htm -------------------------------- Please reply only to the newsgroup so all may benefit. Unsolicited e-mail is not answered. <nolonemo@yahoo.com> wrote in message news:1117299518.086308.241960@o13g2000cwo.googlegroups.com... >I have the "Administrator" account on a WinXP Pro computer (and do > administer the computer). I also have my private account on the > computer, that is an administrator type account. Another private > account for another user also is an aministrator type account. (I can > only see options for two kinds of accounts in WinXp (adminstrator and > limited) unlike Win2k, which I recall had more -- am I right about > WinXP having only two? I think my problem wouldn't exist under Win2k > because I could set up the private accounts as "power users") Thus, the > other private account is a member of the "Administrators" group. For > reasons I won't go into here, the other private account must have admin > rights. Simple file sharing" is turned off on the system. > > I have created a private folder on the machine that has its security > settings set only to allow access to me (i.e., no sharing, and only my > private account is given any permissions. > > However, the folder is not really secure, because although the other > private account holder cannot access the folder itself, they can defeat > the security settings on it. This is because they can access the > properties page for the folder, and even though they cannot initially > change the permissions for the folder, they can access the ownership > properties page for the folder, which shows that "Administrators" as > well as I can take ownership of the folder. Then, by changing ownership > of the folder from my account to "Administrators" , they can then > change the privileges to give "Administrators" full control. And, > because their account is part of the "Administrators" group, they end > up with access to the folder. > > I tried to prevent this from happening by logging on as > "Administrator," goiing into Control Panel -> Administrative Tools -> > Local Security Settings -> User Rights Assignments, and I changed the > value for Take Ownership of Files or Other Objects from > "Administrators" to "Administrator". Now, (after a reboot) the other > person cannot, from their account, change the ownership of my private > folder to "Administrators" and then proceed to unlock it because > "Administrators" no longer shows up as a possible owner of the folder. > > But this security provision can also be defeated, because, the other > user can go into User Rights Assignment and change the permission for > Take Ownership of Files or Other Objects back to "Administrators" from > "Administrator"! Even if I delete the "Administrators" group, (which as > I understand under XP cannot be restored once deleted), the other user > can still add their own account to the permissions for Take Ownership > of Files or Other Objects" (because, it appears, any user with > administrative privilveges can alter the security settings). So my > folder is still not secure. > > Is there a way to prevent any user besides the "Administrator" from > accessing "Administrative Tools" or "Local Security Settings?" Any > other ideas? Am I missing something? > > Thanks >
- Next message: Mark Daly: "Restrict user to use only Internet Explorer"
- Previous message: dhanna: "Re: Problems installing Norton I S 2005"
- In reply to: nolonemo_at_yahoo.com: "How to prevent ownership change by users with admin rights?"
- Next in thread: nolonemo_at_yahoo.com: "Re: How to prevent ownership change by users with admin rights?"
- Reply: nolonemo_at_yahoo.com: "Re: How to prevent ownership change by users with admin rights?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
