Re: Deny rights question
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 01/13/05
- Next message: Roger Abell [MVP]: "Re: Network Service unable to add spn"
- Previous message: Pegasus \(MVP\): "Re: Prevent automatic mapping to home directry on logon - W2K3 TS"
- In reply to: Jeff Cichocki: "Re: Deny rights question"
- Next in thread: Steven L Umbach: "Re: Deny rights question"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 12 Jan 2005 23:03:50 -0700
That Administrator in the NTFS is likely the machine local
Administrator of the machine that is sharing out the storage.
The share level and NTFS level permissions must both
grant a permission (and neither deny it) to an account (even
if via a group) in order for it to be able to use that permission.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4 "Jeff Cichocki" <jeffc@belgioioso.com> wrote in message news:%23BVDSPz9EHA.3504@TK2MSFTNGP12.phx.gbl... > OK. I have checked the shares and they are set to "Authenticated Users". > It must have been changed somewhere along the way. When I check the > individual directories, there is the "Administrator" account assigned to > each directory with full control. It looks like it is the domain admin > account to me. Is it the share that is letting them have to much or is it > the "Administrator"? > > Thanks > > Jeff > > > "Tyler" <Tyler@discussions.microsoft.com> wrote in message > news:ADFA86FA-1D17-4986-BC91-0EB48CCDF4AE@microsoft.com... >> It sounds to me like the shares that they are browsing to are set wide >> open. >> Either they have share permissions set to Everyone or Domain Users. >> >> When they are browsing through the network the folders that they can see >> on >> any given server are network shares that they have permissions to. >> >> Tyler >> >> >> "Miha Pihler [MVP]" wrote: >> >>> Hi Jeff, >>> >>> Being local administrator on local Windows XP computers doesn't give >>> users >>> administrative permissions on any other computer in domain. >>> >>> If these users do have administrator permissions on domain server then >>> something else must be miss configured. >>> >>> Can you check: >>> * on domain (in e.g. your active directory) what groups are these users >>> members of >>> * permissions that are granted to the folders that these users can (but >>> shouldn't) browse >>> >>> -- >>> Mike >>> Microsoft MVP - Windows Security >>> >>> "Jeff Cichocki" <jeffc@belgioioso.com> wrote in message >>> news:unxM%23hy9EHA.3236@TK2MSFTNGP15.phx.gbl... >>> >I have a new 2003 environment that is managing some XP machines. A few >>> >of >>> >the XP machines have users that set up as local admins to their >>> >respective >>> >machines. Is there a way to prevent their local admin rights from >>> >giving >>> >them admin rights to the domain servers? Specifically, they can browse >>> >the >>> >network and open any folder on the server because of this scenario. >>> > >>> > Thanks >>> > >>> > Jeff >>> > >>> >>> >>> > >
- Next message: Roger Abell [MVP]: "Re: Network Service unable to add spn"
- Previous message: Pegasus \(MVP\): "Re: Prevent automatic mapping to home directry on logon - W2K3 TS"
- In reply to: Jeff Cichocki: "Re: Deny rights question"
- Next in thread: Steven L Umbach: "Re: Deny rights question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
