Changing Folder Security Settings 1

[jfgonzalez]

Is it possible to prevent a user on a Windows XP machine who is a Power User to prevent them from changing security settings (adding users, for example) to certain folders that reside on an NT Server? Also, is there a way to prevent such a user from taking control of a folder on the same NT Server in which they would normally not have access to?

We map a share drive to a folder on our NT Server for all our users. Some folders allow access for all users, others are restricted. One of our users, who is clearly violating our company electronic media policy, is adding users to directories they shouldn't be from their XP workstation. I've since learned that they cangain access to a folder they would normally be denied access by simply taking complete ownership of the folder.

Any advice on how to stop this kind of unauthorized access?

Thanks,

JFG

 

[aquias]

Hrm...that seems odd to me. You threw in two seperate access points there. The first is local machine security and the second is network security.

What is this users access to your network? And what is his share level access to all the folders that he is adjusting the ownership for?

Unless I'm missing some information on a major bug he has to have access to a "Backup Operator" or above level of security on the network, not his local machine.

Next up, ensure that your network shares are not set for anyone to have "special permissions", this gives the ability of a user to begin toying with adding and removing users.

A bit of information on NT shares

http://www.microsoft.com/technet/prodtechnol/winntas/deploy/confeat/10wntpcb.mspx

More on taking ownership

http://support.microsoft.com/default.aspx?scid=kb;en-us;245153

Last page with a ton of information on sharing in Windows XP

http://labmice.techtarget.com/windowsxp/FileMgmt/default.htm

 

[agrappe]

First, I would immediately change your administator password. Only Administrator can take ownership of files/folders. Next, make sure the users don't have the 'Full Control' checked. This will allow them to modify the rights to these folders.

 

[bcastner]

The description from gpedit.msc for 'allow only bitmapped wallpaper':

Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".

 

[aquias]

Bill...

I think ya hit the wrong thread

One more thing in regards to this, if this user is violating your media policy, why hasn't he been terminated? I understand searching out how the problem occured but I'd have a conversation with some HR people about this (possibly a lawyer depending on the exact of tampering).

 

[jfgonzalez]

The individual has been talked to numerous times about this to no avail. This individual's boss sticks up for him, so our IT department is in a bind because of it.

I will investigate the options you've put forth. Our main IT Help Desk configures all user PCs and they set all their User IDs up as Power Users. The directory structure in question is on the NT file server, under E:\Users. All users have Full Access to this folder and most files and folders within. We tweak the folders within depending on security; some folders have strict access to only a few users, or groups. Others have full access to everybody. The user in question is perfectly capable of right clicking on a folder they don't have access from their XP workstation and taking full ownership of the folder and gaining access, as well as adding users to folders that should not have access to them. So I'm not sure if this is an XP or NT problem. Maybe its a little of both. My first instinct would be to change this user's status from Power User to a Restricted User (we've done that with a few other users) but to do that with this particular user would cause a political uproar.

 

[aquias]

So you're setup as each folder under E:\users to follow the hierarchy of receiving permissions?

This could be a simple issue of needing to ensure that the folders in question are not receiving permissions (in addition to the ones you specify) from the root folder.

 

[bcastner]

This issue requires controlling ACE permissions and not the traditional share permissions controlled by ACLs.

. From the workstation:

i. Start, Run, secpol.msc

Look at the last ACE: 'Take ownership of folders or files' and remove the Administrator group. Be certain to add in the alternative some other valid local Administrator account so that you do not lock yourself out

or become familiar with the resource kit NTRIGHTS.EXE command, more below.

ii. Use NTRIGHTS.EXE - Server, Workstation and Remotely

http://support.microsoft.com/kb/q266280/

You can -r to remove any right to a user or group at the server, or workstation. In your instance I would do both.

You can use the Win2k reskit version on NT, Winwk or XP:

http://www.dynawell.com/reskit/microsoft/win2000/ntrights.zip

Or, the Windows 2003 resource kit too under Win2k or XP clients:

http://www.microsoft.com/downloads/...9-57FF-4AE7-96EE-B18C4790CFFD&displaylang=enl

Note that this can be done remotely:
The NTRights.exe utility uses the following syntax:

ntrights +r/-r user_right-u "account_name" -m\\computer_name

Where:
• +r is used to add a user right.
• -r is used to revoke a user right.
• user_right is the user right to grant or revoke.
• "account _name" is the name of the user or group (enclosed in quotation marks) whose user rights are being modified.
• computer_name is the name of the remote computer where the user rights are being changed. If the -m option and the computer name are not specified, the changes occur on the local computer.

"SeTakeOwnershipPrivilege" is the right you want to deny the user, or the Group the user is a member.

e.g., for user "linney", on computer "linneys_computer":

ntrights -r SeTakeOwnershipPrivilege -u "linney" -m\\linneys_computer

Best wishes,
Bill Castner

 

[bcastner]

I should note that the advantage of this approach is you can leave the user as Administrator Group member, and it is unlikely he knows an ACE permission from a hole in the ground.

The process is silent, and not easily discovered by even experienced XP or Windows users.

 

[jfgonzalez]

Bill,

I was not aware of this option -- I'd never even heard of it until you posted it. I will look into doing this later this week when I am certain I can make these changes from the users workstation. Thanks!

JFG

 

[bcastner]

You can do it remotely.

Best holiday wishes,
Bill Castner

 

[aquias]

I always feel smart till Bill answers...

Nice information and thanks for it Bill!

 

[bcastner]

I should note that I missed an important space in my example of denying user "linney" from a remote computer "linneys_computer"

I wrote above:
ntrights -r SeTakeOwnershipPrivilege -u "linney" -m\\linneys_computer

Ammended:
ntrights -r SeTakeOwnershipPrivilege -u "linney" -m \\linneys_computer

Note the "space" between -m and the remote computer

Best Holiday wishes,
Bill Castner

 

[bcastner]

aquias,

I always feel smart until linney wacks me on the head with his billiebong.

The reason I love a Forum such as this is that I honestly learn more than I can possibly give or contribute.

Have a great Holiday,
Bill

 

[aquias]

I wasn't complaining Bill! Trust me, I've picked up more here than I could hope to return, I just can't keep from making comments to add some levity (Generally, I'm "that guy").

 

[bcastner]

For some odd reason the site will not honor the "space" I introduced:

One more time:
[tt]

I wrote above:
ntrights -r SeTakeOwnershipPrivilege -u "linney" -m\\linneys_computer

Ammended:
ntrights -r SeTakeOwnershipPrivilege -u "linney" -m \\linneys_computer

[/tt]

 

[bcastner]

aquias,

A belated welcome to Tek-Tips, this Forum, and a big hug for you guy.

Bill

 

[aquias]

Aw...I feel the lub!!

I think it's bed time again