Can change owner of folder when deny in place

Can change owner of folder when deny in place
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Can change owner of folder when deny in place Alex 02-28-2006
Posted by Alex on February 28, 2006, 5:19 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I have a folder that i want to make really secure as it has employee
performence reviews in. I want to make this folder secure to the
prying eyes of domain administrators ( i am a domain administrator
myself).

I have remove permission inheritance from the folder and granted full
control permissions to those people who should be able to access the
folder.

I have created a user group that contains all the domain administrators
who should not be able to snoop about and look at the performance
reviews of others. I deny all permissions for this group on the
folder. This includes a deny on the "Take Ownership" and "Change
Permissions" permissions.

I also change the folder owner to be me.

I still find that the other domain administrators who are in the "deny"
group can still take ownership of the folder and then change the
permissions allowing themselves access to the files in the folder.

Can anyone explain what is happening and how i may work arround this
issue?

Many Thanks

Alex


Posted by Shenan Stanley on February 28, 2006, 5:28 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Alex wrote:
> I have a folder that i want to make really secure as it has employee
> performence reviews in. I want to make this folder secure to the
> prying eyes of domain administrators ( i am a domain administrator
> myself).
>
> I have remove permission inheritance from the folder and granted
> full control permissions to those people who should be able to
> access the folder.
>
> I have created a user group that contains all the domain
> administrators who should not be able to snoop about and look at
> the performance reviews of others. I deny all permissions for this
> group on the folder. This includes a deny on the "Take Ownership"
> and "Change Permissions" permissions.
>
> I also change the folder owner to be me.
>
> I still find that the other domain administrators who are in the
> "deny" group can still take ownership of the folder and then change
> the permissions allowing themselves access to the files in the
> folder.
>
> Can anyone explain what is happening and how i may work arround this
> issue?

You either 1) Have too many administrators or 2) have administrators you do
not trust.

Either way your solutions are simple..

1) Get rid of the administrators you do not trust (their rights or them.)
2) Encrypt the data. (or protect it in some other way that included Windows
File/Folder permissions - because if they are admins - they can do whatever
they want on your systems.)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html



Posted by Roger Abell [MVP] on February 28, 2006, 8:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
There is a user right that defines what accounts can alway take
ownership. It has a default setting of Administrators. Any account
with that user right can always take ownership of anything. Even
if the Administrators group is removed so no account is listed as
having the user right the built-in Administrator (however renamed)
will always have the right.

>I have a folder that i want to make really secure as it has employee
> performence reviews in. I want to make this folder secure to the
> prying eyes of domain administrators ( i am a domain administrator
> myself).
>
> I have remove permission inheritance from the folder and granted full
> control permissions to those people who should be able to access the
> folder.
>
> I have created a user group that contains all the domain administrators
> who should not be able to snoop about and look at the performance
> reviews of others. I deny all permissions for this group on the
> folder. This includes a deny on the "Take Ownership" and "Change
> Permissions" permissions.
>
> I also change the folder owner to be me.
>
> I still find that the other domain administrators who are in the "deny"
> group can still take ownership of the folder and then change the
> permissions allowing themselves access to the files in the folder.
>
> Can anyone explain what is happening and how i may work arround this
> issue?
>
> Many Thanks
>
> Alex
>



Similar ThreadsPosted
Deny change of email address February 8, 2007, 3:48 pm
NTFS folder permissions - Creator Owner issue (I think) January 20, 2006, 2:14 pm
Re: NTFS folder permissions - Creator Owner issue (I think) January 24, 2006, 1:20 pm
Folder permissions - deny users, allow administrator November 16, 2007, 12:38 pm
deny delete folders/files from a shared folder on the network September 19, 2006, 6:56 am
Change Multiple User Folder Permissions October 4, 2005, 6:52 am
how to use command/code to change folder/file's share permission June 7, 2006, 9:11 am
Is this the place to post a Q regarding OneCare? January 28, 2007, 6:29 pm
Changing service owner April 11, 2006, 1:29 am
CREATOR OWNER assigning issue August 24, 2006, 12:27 pm

The site map in XML format XML site map

Contact Us | Privacy Policy