|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
Hello folks,
How can I restrict or block a user with admin rights from a specific
directory.
We have a company who is installing a monitoring agent. The agent is
being given admin rights so it can update patches and do maintenance
stuff. However the company wants the agent to be blocked from the
financials directory. Any ideas?
We have tried adding the administrator account to the folder and then
removing the admin group from the folder. This works but the "user/
agent" would still be able to switch the permissions back if it wanted
or if someone logged on using that account.
|
|
This is a multi-part message in MIME format.
------=_NextPart_000_00A5_01C7BF5C.3EB3DDA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sure, you can take over the ownership. This how to may help,
How to networkRestrict administrators accessing =B7 Restrict Internet =
access =B7 Restrict single logon =B7 Restrict TS User access =B7 Set USN =
Journal Size to 128 MB ...
http://www.howtonetworking.com/sitemap.htm=20
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on =
http://www.ChicagoTech.net=20
How to Setup Windows, Network, VPN & Remote Access on =
http://www.HowToNetworking.com=20
<davelchgo[ at ]gmail.com> wrote in message =
news:1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com...
Hello folks,
How can I restrict or block a user with admin rights from a specific
directory.
We have a company who is installing a monitoring agent. The agent is
being given admin rights so it can update patches and do maintenance
stuff. However the company wants the agent to be blocked from the
financials directory. Any ideas?
We have tried adding the administrator account to the folder and then
removing the admin group from the folder. This works but the "user/
agent" would still be able to switch the permissions back if it wanted
or if someone logged on using that account.
------=_NextPart_000_00A5_01C7BF5C.3EB3DDA0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.16481" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Sure, you can take over the ownership. This how to may help,</DIV>
<DIV> </DIV>
<DIV><A class=3Dl onmousedown=3D"return =
clk(this.href,'','','cres','1','')"=20
href=3D"http://www.howtonetworking.com/sitemap.htm"><FONT =
color=3D#663399 size=3D5>How=20
to network</FONT></A>
<TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0>
<TBODY>
<TR>
<TD class=3Dj><FONT size=3D-1><B>Restrict administrators =
accessing</B> =B7=20
<B>Restrict</B> Internet <B>access</B> =B7 <B>Restrict</B> single =
logon =B7=20
<B>Restrict</B> TS User <B>access</B> =B7 Set USN Journal Size to =
128 MB=20
<B>...</B><BR><SPAN class=3Da><FONT color=3D#008000><A=20
=
href=3D"http://www.howtonetworking.com/sitemap.htm">http://www.howtonetwo=
rking.com/sitemap.htm</A></FONT></SPAN></FONT></TD></TR></TBODY></TABLE><=
/DIV>
<DIV><BR>Bob Lin, MS-MVP, MCSE & CNE<BR>Networking, Internet, =
Routing, VPN=20
Troubleshooting on <A=20
href=3D"http://www.ChicagoTech.net">http://www.ChicagoTech.net</A> =
<BR>How to=20
Setup Windows, Network, VPN & Remote Access on <A=20
href=3D"http://www.HowToNetworking.com">http://www.HowToNetworking.com</A=
[Quoted Text] > </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><<A =
href=3D"mailto:davelchgo[ at ]gmail.com">davelchgo[ at ]gmail.com</A>>=20
wrote in message <A=20
=
href=3D"news:1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com">news:=
1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com</A>...</DIV>Hello=20
folks,<BR>How can I restrict or block a user with admin rights from a=20
specific<BR>directory.<BR><BR>We have a company who is installing a =
monitoring=20
agent. The agent is<BR>being given admin rights so it can update =
patches=20
and do maintenance<BR>stuff. However the company wants the agent =
to be=20
blocked from the<BR>financials directory. Any ideas?<BR><BR>We =
have=20
tried adding the administrator account to the folder and =
then<BR>removing the=20
admin group from the folder. This works but the "user/<BR>agent" =
would=20
still be able to switch the permissions back if it wanted<BR>or if =
someone=20
logged on using that account.<BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_00A5_01C7BF5C.3EB3DDA0--
|
|
This is a multi-part message in MIME format.
------=_NextPart_000_0013_01C7BF67.14482E80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
That doesn't prevent the admin from taking ownership again. It does =
however show that he accessed it.
--=20
Claus
"Robert L [MVP - Networking]" <noreply[ at ]hotmail.com> wrote in message =
news:eq9FjY4vHHA.2288[ at ]TK2MSFTNGP05.phx.gbl...
Sure, you can take over the ownership. This how to may help,
How to network Restrict administrators accessing =B7 Restrict Internet =
access =B7 Restrict single logon =B7 Restrict TS User access =B7 Set USN =
Journal Size to 128 MB ...
http://www.howtonetworking.com/sitemap.htm=20
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on =
http://www.ChicagoTech.net=20
How to Setup Windows, Network, VPN & Remote Access on =
http://www.HowToNetworking.com=20
<davelchgo[ at ]gmail.com> wrote in message =
news:1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com...
Hello folks,
How can I restrict or block a user with admin rights from a specific
directory.
We have a company who is installing a monitoring agent. The agent =
is
being given admin rights so it can update patches and do maintenance
stuff. However the company wants the agent to be blocked from the
financials directory. Any ideas?
We have tried adding the administrator account to the folder and =
then
removing the admin group from the folder. This works but the "user/
agent" would still be able to switch the permissions back if it =
wanted
or if someone logged on using that account.
------=_NextPart_000_0013_01C7BF67.14482E80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.6000.16481" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>That doesn't prevent the admin from =
taking=20
ownership again. It does however show that he accessed it.</FONT></DIV>
<DIV><BR>-- <BR>Claus</DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Robert L [MVP - Networking]" <<A=20
href=3D"mailto:noreply[ at ]hotmail.com">noreply[ at ]hotmail.com</A>> wrote =
in message=20
<A=20
=
href=3D"news:eq9FjY4vHHA.2288[ at ]TK2MSFTNGP05.phx.gbl">news:eq9FjY4vHHA.2288=
[ at ]TK2MSFTNGP05.phx.gbl</A>...</DIV>
<DIV>Sure, you can take over the ownership. This how to may =
help,</DIV>
<DIV> </DIV>
<DIV><A class=3Dl onmousedown=3D"return =
clk(this.href,'','','cres','1','')"=20
href=3D"http://www.howtonetworking.com/sitemap.htm"><FONT =
color=3D#663399=20
size=3D5>How to network</FONT></A>=20
<TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0>
<TBODY>
<TR>
<TD class=3Dj><FONT size=3D-1><B>Restrict administrators =
accessing</B> =B7=20
<B>Restrict</B> Internet <B>access</B> =B7 <B>Restrict</B> =
single logon =B7=20
<B>Restrict</B> TS User <B>access</B> =B7 Set USN Journal Size =
to 128 MB=20
<B>...</B><BR><SPAN class=3Da><FONT color=3D#008000><A=20
=
href=3D"http://www.howtonetworking.com/sitemap.htm">http://www.howtonetwo=
rking.com/sitemap.htm</A></FONT></SPAN></FONT></TD></TR></TBODY></TABLE><=
/DIV>
<DIV><BR>Bob Lin, MS-MVP, MCSE & CNE<BR>Networking, Internet, =
Routing, VPN=20
Troubleshooting on <A=20
href=3D"http://www.ChicagoTech.net">http://www.ChicagoTech.net</A> =
<BR>How to=20
Setup Windows, Network, VPN & Remote Access on <A=20
=
href=3D"http://www.HowToNetworking.com">http://www.HowToNetworking.com</A=
[Quoted Text] >=20
</DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV><<A =
href=3D"mailto:davelchgo[ at ]gmail.com">davelchgo[ at ]gmail.com</A>>=20
wrote in message <A=20
=
href=3D"news:1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com">news:=
1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com</A>...</DIV>Hello=20
folks,<BR>How can I restrict or block a user with admin rights from =
a=20
specific<BR>directory.<BR><BR>We have a company who is installing a=20
monitoring agent. The agent is<BR>being given admin rights so =
it can=20
update patches and do maintenance<BR>stuff. However the =
company wants=20
the agent to be blocked from the<BR>financials directory. Any=20
ideas?<BR><BR>We have tried adding the administrator account to the =
folder=20
and then<BR>removing the admin group from the folder. This =
works but=20
the "user/<BR>agent" would still be able to switch the permissions =
back if=20
it wanted<BR>or if someone logged on using that=20
account.<BR></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0013_01C7BF67.14482E80--
|
|
Unless the admin restores the files from a backup set to his laptop.
Not really any audit trail there.
--
/kj
"Claus" <cjobes[ at ]nova-tech.org> wrote in message
news:eF8NQh4vHHA.2004[ at ]TK2MSFTNGP06.phx.gbl...
That doesn't prevent the admin from taking ownership again. It does however
show that he accessed it.
--
Claus
"Robert L [MVP - Networking]" <noreply[ at ]hotmail.com> wrote in message
news:eq9FjY4vHHA.2288[ at ]TK2MSFTNGP05.phx.gbl...
Sure, you can take over the ownership. This how to may help,
How to network Restrict administrators accessing · Restrict Internet access
· Restrict single logon · Restrict TS User access · Set USN Journal Size to
128 MB ...
http://www.howtonetworking.com/sitemap.htm
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
<davelchgo[ at ]gmail.com> wrote in message
news:1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com...
Hello folks,
How can I restrict or block a user with admin rights from a specific
directory.
We have a company who is installing a monitoring agent. The agent is
being given admin rights so it can update patches and do maintenance
stuff. However the company wants the agent to be blocked from the
financials directory. Any ideas?
We have tried adding the administrator account to the folder and then
removing the admin group from the folder. This works but the "user/
agent" would still be able to switch the permissions back if it wanted
or if someone logged on using that account.
|
|
If the user with admin rights isn't using the actual machine that Win2003 is
installed on, it's quite simple.
Modify the NTFS permissions depeding on your needs using the following
concepts:
-Create a new group and add all users to that group who are authorised to
access that directory. Remove all NTFS permissions to that directory and add
the new group as the only permission.
or
-Remove all permissions and add a single user as the only user that is
permitted to view/change that directory.
When sharing the directory to be accessed over the network, try to match the
NTFS permissions to the sharing permissions as sharing permissions can at
least override the NTFS permissions for reading.
|
|
I wasn't even going to go there.....
Glad to see the "rookie" is gone *G*
--
Claus
"kj [SBS MVP]" <KevinJ.SBS[ at ]SPAMFREE.gmail.com> wrote in message
news:ebgRvy4vHHA.1524[ at ]TK2MSFTNGP06.phx.gbl...
[Quoted Text] > Unless the admin restores the files from a backup set to his laptop. > > Not really any audit trail there. > > -- > /kj > > > "Claus" <cjobes[ at ]nova-tech.org> wrote in message > news:eF8NQh4vHHA.2004[ at ]TK2MSFTNGP06.phx.gbl... > That doesn't prevent the admin from taking ownership again. It does > however show that he accessed it. > > -- > Claus > "Robert L [MVP - Networking]" <noreply[ at ]hotmail.com> wrote in message > news:eq9FjY4vHHA.2288[ at ]TK2MSFTNGP05.phx.gbl... > Sure, you can take over the ownership. This how to may help, > > How to network Restrict administrators accessing · Restrict Internet > access · Restrict single logon · Restrict TS User access · Set USN Journal > Size to 128 MB ... > http://www.howtonetworking.com/sitemap.htm> > > Bob Lin, MS-MVP, MCSE & CNE > Networking, Internet, Routing, VPN Troubleshooting on > http://www.ChicagoTech.net> How to Setup Windows, Network, VPN & Remote Access on > http://www.HowToNetworking.com> <davelchgo[ at ]gmail.com> wrote in message > news:1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com... > Hello folks, > How can I restrict or block a user with admin rights from a specific > directory. > > We have a company who is installing a monitoring agent. The agent is > being given admin rights so it can update patches and do maintenance > stuff. However the company wants the agent to be blocked from the > financials directory. Any ideas? > > We have tried adding the administrator account to the folder and then > removing the admin group from the folder. This works but the "user/ > agent" would still be able to switch the permissions back if it wanted > or if someone logged on using that account. >
|
|
Andrew McNab wrote:
[Quoted Text] > If the user with admin rights isn't using the actual machine that
> Win2003 is installed on, it's quite simple.
>
> Modify the NTFS permissions depeding on your needs using the following
> concepts:
>
> -Create a new group and add all users to that group who are
> authorised to access that directory. Remove all NTFS permissions to
> that directory and add the new group as the only permission.
>
> or
>
> -Remove all permissions and add a single user as the only user that is
> permitted to view/change that directory.
>
> When sharing the directory to be accessed over the network, try to
> match the NTFS permissions to the sharing permissions as sharing
> permissions can at least override the NTFS permissions for reading.
If the "admin" is a "domain admin" then he/she maps to the admin share D$
and navigates to the folder and adjusts permissions as desired.
AD security principal #1 - The forest *is* *the* security boundary
#2 - Domain Admins OWN the forest.
#3 - Get Physical access to a Domain Controller and you too can own the
forest (with the right knowledge and skills)
You can not prevent a domain admin from accessing any file they want. You
can put up 'impediments', but all can be circumvented with enough time,
knowledge, and persistence.
Making the data into a form that isn't usable (encryption) isn't even
failsafe, but it can make it really very, very difficult.
Note I said "can". By default the administrator is the EFS recovery agent. -
Gotta fix that.
Since the admin has file access, they can add their own EFS cert to the list
on the file - Gotta Fix that too, which is very hard to do since the admin
usually admins the Certificate Authority.
Getting complex enough yet? It gets worse.
Bottom line, Members of the Domain Admins group need to be completely
trusted with all data on all servers and computers in the AD Forest. If you
can't say that, then they shouldn't be a Domain Admin, and you should find
someone else to fill that role. That includes vendors, contractors, even
Executives.
--
/kj
|
|
Claus wrote:
[Quoted Text] > I wasn't even going to go there.....
>
I know. I think I'd rather discuss partitioning schemes. <g>
> Glad to see the "rookie" is gone *G*
>
>> Unless the admin restores the files from a backup set to his laptop.
>>
>> Not really any audit trail there.
>>
>> --
>> /kj
>>
>>
>> "Claus" <cjobes[ at ]nova-tech.org> wrote in message
>> news:eF8NQh4vHHA.2004[ at ]TK2MSFTNGP06.phx.gbl...
>> That doesn't prevent the admin from taking ownership again. It does
>> however show that he accessed it.
>>
>> --
>> Claus
>> "Robert L [MVP - Networking]" <noreply[ at ]hotmail.com> wrote in message
>> news:eq9FjY4vHHA.2288[ at ]TK2MSFTNGP05.phx.gbl...
>> Sure, you can take over the ownership. This how to may help,
>>
>> How to network Restrict administrators accessing · Restrict Internet
>> access · Restrict single logon · Restrict TS User access · Set USN
>> Journal Size to 128 MB ...
>> http://www.howtonetworking.com/sitemap.htm
>>
>>
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>> <davelchgo[ at ]gmail.com> wrote in message
>> news:1183693500.431626.134600[ at ]c77g2000hse.googlegroups.com...
>> Hello folks,
>> How can I restrict or block a user with admin rights from a specific
>> directory.
>>
>> We have a company who is installing a monitoring agent. The agent is
>> being given admin rights so it can update patches and do maintenance
>> stuff. However the company wants the agent to be blocked from the
>> financials directory. Any ideas?
>>
>> We have tried adding the administrator account to the folder and then
>> removing the admin group from the folder. This works but the "user/
>> agent" would still be able to switch the permissions back if it
>> wanted or if someone logged on using that account.
--
/kj
|
|
|