denying permissions to administrators and another permission issues 1

[GSG9]

A bit of history.

The small company I work for (20 employees) just migrated from a workgroup based network to a domain setup. I handled the migration....incredibly smooth sailing and now I am finally putting the finishing touches: the file permissions.

The primary administrator account is held by the boss while I use a regular (no admin privs at all) account and another account that is part of the administrators group

now the problem is that there is a specific directory that the boss does not want me having access to..however since I am the only one who knows how to manage the system I obviously need full admin access

obviously you can't simply assign ownership to only administrator and then deny taking owernership rights to the administrators group since that groups unique status overides the deny as far as i tested..

any ideas? I know there are global GPO settings that govern this but none for specific folders and no real way to lock out only a section of the GPO object since i need access to the rest of the object converning the PDC

another question: if i delegate administration of the user accounts to another employee how can i prevent them from say resetting the admin account PWs, creating another account with admin privs or other things could compromise file security

for both issues an honor system would be acceptable..i just want to present something with no backdoors


last question:

within one NTFS partition

the defaults for permission inheritance are as follows
move or cut/paste causes the file to keep the permissions inherited from the parent

copy/paste causes it to inherit from the folder heirarchy..

is there a way to make inherit from heiarchy always the default regardless of the way the file was placed?

the reason i want this is because I am setting up a rigid system because we have alot of certification docs that cannot be deleted..most of which are created locally then moved to the server thererby keeping their full control for everyone permissions that overide the protection from the permissions set in the heirarchy.

 

[markdmac]

OK, first things first. If your ID is a member of the Administrators group, then it is an administrator just like the "Administrator" ID. Check the group memberships of your ID. You might be missing Schema Admins and Enterprise Admins, but it is unlikely they would be giving you any grief with respect to file permissions.

Second, you CAN assign specific rights to a file or folder and block the administrators group from accessing this, of coulrse the "Administrator" ID is also a member of that group so putting a DENY on that folder would also lock out the "Administrator." As you are a small organization, your boss could add your ID to the list and DENY you rights exclusively.

As a member of Administrators, you could always take ownership of the files in an emergency and would then be able to set file permissions, but since you have your own ID there would be a trail of this which I think would satisfy your boss.

Regarding your inheritance question:

Files MOVED on the same disk will keep their permissions. Files copied from another disk will inherit permissions of the target disk. If you want to ensure inheritance, always copy files and then delete the original if your intent is to actually do a move.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[GSG9]

it helped quite a bit...thanks

unfortunately it wasn't the answer I was hoping for...

granted the emergengy take-over of ownership is an essential feature but it would be nice to overide it in some situations....and the fact that i can simply change the perms and get back access even with a deny is a bit frustrating (although i do appreciate the irony of trying to lock myself out of my own system(

i guess the honor system will have to do for that directory...as for the "trail" you are speaking of the auditing system right? That would require enabling objecting auditing (through GPO) and configuring that specific directory to record permission changes?

what about the Username hijacking through account admin privs...(is there a way to control what kind of accounts to set up) or must we simply rely on monitoring through an audit as well?

as for auditing isn't it relatively easy to wipe out the audit logs with admin privs?

as for the inheriting permissions change, what about a network move? say from a workstation to the server...technically this is from another "disk" so will it preserve its parent permission regardless of how it is transfered?

there must be a way to change how that works..or is it hard coded into the NTFS system?

 

[markdmac]

You can't assign ownership of files, so if you were to seize ownership then that would show on the system. Someone else would need to take ownership. This does not require auditing to be enabled.

If you need to limit an ID to the types of admin rights it has you should be looking at DELEGATION. If you choose CUSTOM when deleagatin you can get very granular in the rights that are permitted. For example you could set someone to be able to unlock an account but not create a new one.

Moving files from a workstation to the server, the files will inherrit the settings at the server. No way around this it is how permissions work in NT based systems.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[GSG9]

ah...thanks alot...

in delegation would one of the options just happen to be preventing resetting PWs of admin accounts, adding users to the admin group or creating accounts that have admin privs?

 

[markdmac]

Yes.

By the sound of it your boss does not want you to have any control over user accounts, just the ability to manage files. Is that a correct assesment?

If so then tell your boss to remove you from the Administrators group and make you a member of Server Operators.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[mlichstein]

The GUI doesn't support giving ownership, but the capability is there. You can use subinacl to assign ownership of a file or folder to a user.

subinacl /file c:\filename.doc /setowner=domain\user

 

[GSG9]

actually my boss wants me to have complete control over the server minus access to one very specific directory...

i do all of the GPO settings, backups, user accounts, managing SUS and other patching...etc etc

however i'm not always availlable so i want to delegate the user account to another person but the boss would like to limit the admin powers to just himself and me...so giving another person the ability to create admin accounts is really just the same as giving the person admin privs

thanks for all the info though..star for you

 

[Claudek]

Don't overcomplicate things here. As an example: I have done migrations for large companies where post-migration I needed to limit access to the finance folders to just the Chief Financial Officer and his Secretary. After migration, I created a new security group just for these 2 users and gave this group full control to the finance folders. I took out the "Inherit permission from parent" and took out all other groups including administrators. The finance group was the only group with Full Control access. Next step was to reset permissions across all subfolders and files in the finance folder.

This may be similar to what you need. You can turn on auditing here with your boss as the recipient for any failure/"permission changes" so he can be assured that no one is tampering or accessing the folders without him knowing.

The rest you need to do via delegation can be done as normal as in yhe discussions above.





Claudius (What certifications??)

http://www.iteq.com.au