Re: ntfs file permissions, ownership
- From: "Al Dunbar" <AlanNOSPAmDrub@xxxxxxxxxxx>
- Date: Sat, 14 Jan 2006 09:26:11 -0800
"Carsten Krueger" <use.net.cakruege@xxxxxxxxxxxxx> wrote in message
news:17xiydxapbvkf.dlg@xxxxxxxxxxxxxxxxxxxxxx
> Am 13 Jan 2006 20:57:16 -0800 schrieb Dan Lewis:
>
>> currently have any permissions to (as adminsitrator), without taking
>> ownership (or do it by taking ownership, and then restoring the
>> original owner).
>
> Why is this a problem?
Doesn't matter why it's a problem, this is just what he wants to do.
IMHO, if an administrator account does not have change permissions access to
NTFS objects, then, simply by definition, it cannot change permissions
without somehow acquiring this access. One of the attributes of an
administrator account is that it can take ownership, as a result of its
being the "owner" of the computer itself.
I see only two ways that the permissions can be changed:
a) take ownership. Unfortunately setting the ownership back afterwards is
not so straightforward to accomplish, at least natively. There may be third
party tools that can do this, but it appears that the OP does not want to do
it this way.
b) get the owner to make the changes by one of the following methods (which
may depend on your organization's security policies):
b.1) ask the person to do it, and show them how.
b.2) ask the person to login, and then watch you make the change.
b.3) ask the person to "run this script which will correct some security
settings...".
b.4) run a corrective script from the logon script.
b.5) reset the user's password, use the altered credentials to make the
necessary change, then reset the user's password and advise him by your
normal methods of what it has been changed to.
b.6) wait until the user has logon problems, and when asked to reset the
password, do it following the steps outlined in point "b.5".
In our environment, if it turned out that the only way to feasibly
accomplish this was for an admin to actually use the user's credentials, the
reasons would have to be well documented, and the process would have to be
specifically authorized, monitored, and audited.
It is easy to say, however, that an administrator account should be able to
do *anything*, whether interactively or through a script. Unfortunately, the
users of administrator accounts are generally human and not god-like, hence
administrators must also play by the rules. If they were weakened for
administrators then, well, the rules would be weakened, and that is not a
good thing.
Or think of it this way: is God so all-powerful that he could create a rock
so heavy that he would be unable to lift it, or the IT corollary: is the
administrator so all-powerful that he can create security boundaries that
are so secure he himself cannot get past them. Two interesting conundra.
/Al
.
- References:
- ntfs file permissions, ownership
- From: Dan Lewis
- Re: ntfs file permissions, ownership
- From: Dan Lewis
- ntfs file permissions, ownership
- Prev by Date: Re: Mass-change file prefix in a given set of folders
- Next by Date: Re: New To Scripting
- Previous by thread: Re: ntfs file permissions, ownership
- Next by thread: Re: ntfs file permissions, ownership
- Index(es):
Relevant Pages
|
