Re: Deny rights question

From: Jeff Cichocki (jeffc_at_belgioioso.com)
Date: 01/10/05 

Date: Mon, 10 Jan 2005 10:45:07 -0600

OK. I have checked the shares and they are set to "Authenticated Users".
It must have been changed somewhere along the way. When I check the
individual directories, there is the "Administrator" account assigned to
each directory with full control. It looks like it is the domain admin
account to me. Is it the share that is letting them have to much or is it
the "Administrator"?

Thanks

Jeff

"Tyler" <Tyler@discussions.microsoft.com> wrote in message
news:ADFA86FA-1D17-4986-BC91-0EB48CCDF4AE@microsoft.com...
> It sounds to me like the shares that they are browsing to are set wide
> open.
> Either they have share permissions set to Everyone or Domain Users.
>
> When they are browsing through the network the folders that they can see
> on
> any given server are network shares that they have permissions to.
>
> Tyler
>
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi Jeff,
>>
>> Being local administrator on local Windows XP computers doesn't give
>> users
>> administrative permissions on any other computer in domain.
>>
>> If these users do have administrator permissions on domain server then
>> something else must be miss configured.
>>
>> Can you check:
>> * on domain (in e.g. your active directory) what groups are these users
>> members of
>> * permissions that are granted to the folders that these users can (but
>> shouldn't) browse
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Jeff Cichocki" <jeffc@belgioioso.com> wrote in message
>> news:unxM%23hy9EHA.3236@TK2MSFTNGP15.phx.gbl...
>> >I have a new 2003 environment that is managing some XP machines. A few
>> >of
>> >the XP machines have users that set up as local admins to their
>> >respective
>> >machines. Is there a way to prevent their local admin rights from
>> >giving
>> >them admin rights to the domain servers? Specifically, they can browse
>> >the
>> >network and open any folder on the server because of this scenario.
>> >
>> > Thanks
>> >
>> > Jeff
>> >
>>
>>
>>

Relevant Pages

  • Re: Deny rights question
    ... I have checked the shares and they are set to "Authenticated Users". ... there is the "Administrator" account assigned to ... >> Being local administrator on local Windows XP computers doesn't give ... >> administrative permissions on any other computer in domain. ...
    (microsoft.public.windows.server.security)
  • Re: domain admin user who cant add other people to the admin group?
    ... You most definitely don't want to make them a domain admin, ... container (or the OU where you place computers). ... To allow creation of shares, make the user (or preferably a group created ... which contains the user) an administrator only of the file ...
    (microsoft.public.win2000.active_directory)
  • Re: Default Shares
    ... I would not worry too much about disabling the default shares if they are ... administrator account to logon to any domain computer that is not known to ... local administrators group of domain computers which can be easily managed ...
    (microsoft.public.win2000.security)
  • Re: Viewability of shared folders ?
    ... someone knows your administrator password then it can access your system any ... You can also protect the computer by using personal or dedicated firewall to ... it is possible to remote these shares by editing registry. ... > drives... ...
    (microsoft.public.win2000.security)
  • Re: Unable to turn off sharing
    ... > Hidden shares are created by default, ... > level users on the system and are typically used for remote management ... administrator privileges have access to them. ...
    (microsoft.public.security)