mirceapop14
Programmer
2 admin account in Administrators group. One admin accesig from VPN as service admin. Can local admin restrict acces to some folders for remote admin ? I suppose not ....but ... this is a necesity. Thanks a lot !
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Restricting admin rights ? 2
- Thread starter mirceapop14
- Start date
- Status
-
1
- #2
-
1
- #3
MisterNiceGuy
MIS
If an account has administrative access to a particular computer, you can only make it difficult for him to access certain portions of the file system, you cannot however prevent him from accessing anything. This is because as an administrator of a box, they can always take ownership of a folder and then alter whatever security permissions you may have set to prevent access.
To clarify what I believe GENEnG is trying to say, don't make the remote admin an administrator, instead provide him only the permissions he requires to perform his work. I recommend doing this with a security group that contains his administrative account so that you have more flexibility in the future. It's very possible that what he needs to do will require administrative access, in that case there are some steps you can take through group policy to limit his ability to meddle with stuff, but at the file system level, he will always have the ability to access any portion of it because of the "take ownership" back door.
Again, I'm not saying you can't make it difficult for him, but if you give a technically sound support professional administrative access to your box, they will ultimately be able to do whatever they want regardless of NTFS permissions, Group policy etc.
To clarify what I believe GENEnG is trying to say, don't make the remote admin an administrator, instead provide him only the permissions he requires to perform his work. I recommend doing this with a security group that contains his administrative account so that you have more flexibility in the future. It's very possible that what he needs to do will require administrative access, in that case there are some steps you can take through group policy to limit his ability to meddle with stuff, but at the file system level, he will always have the ability to access any portion of it because of the "take ownership" back door.
Again, I'm not saying you can't make it difficult for him, but if you give a technically sound support professional administrative access to your box, they will ultimately be able to do whatever they want regardless of NTFS permissions, Group policy etc.
InfrArch
IS-IT--Management
- Aug 27, 2001
- 465
MisterNiceGuy, I agree with your point and approach except the fact, that actually it IS possible to "prevent him from accessing anything". In GPO/CompConf/WindSettings/SecurSettings/LocalPolic/UserRightsAssignment last line shows the setting with the name "TakeOwnership..." and the Value is Administrators Group. To prevent some Admin Account to "do anything" you have to remove Administrators group from there and put individual user accounts. Plus, ofcourse, you have to use NTFS permissions.
Victor K
MCSE+I;MCSE(w2k);CNE(5.1);CNE(6);CIWSP;CIWSA;Net+;CCNA;CCSE+
Victor K
MCSE+I;MCSE(w2k);CNE(5.1);CNE(6);CIWSP;CIWSA;Net+;CCNA;CCSE+
MisterNiceGuy
MIS
While I appreciate that this would put a small roadblock in the administrators path, I do not agree that it will prevent a knowledgable administrator from obtaining full access for very long. The important part of the discussion is that for the needs of mirceapop14 the additional solution you just related will possibly be enough. If you are worried about your support staff messing around in places they should not be, maybe you need to re-evaluate who you are using.
Why is does this occur?
Two computers on a domain logged as Administrator.
I create a file with only user rights I.E. no Administrator.
I try to delete and receive "access denied".
If I connect to the computer via network \\computer\c$
I am able to delete.
Why?
Thanks
DJL
Two computers on a domain logged as Administrator.
I create a file with only user rights I.E. no Administrator.
I try to delete and receive "access denied".
If I connect to the computer via network \\computer\c$
I am able to delete.
Why?
Thanks
DJL
- Status
Similar threads
- Locked
- Question