Sign in with
Sign up | Sign in
Your question

How to prevent ownership change by users with admin rights?

Last response: in Windows XP
Share
Anonymous
May 28, 2005 1:58:38 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have the "Administrator" account on a WinXP Pro computer (and do
administer the computer). I also have my private account on the
computer, that is an administrator type account. Another private
account for another user also is an aministrator type account. (I can
only see options for two kinds of accounts in WinXp (adminstrator and
limited) unlike Win2k, which I recall had more -- am I right about
WinXP having only two? I think my problem wouldn't exist under Win2k
because I could set up the private accounts as "power users") Thus, the
other private account is a member of the "Administrators" group. For
reasons I won't go into here, the other private account must have admin
rights. Simple file sharing" is turned off on the system.

I have created a private folder on the machine that has its security
settings set only to allow access to me (i.e., no sharing, and only my
private account is given any permissions.

However, the folder is not really secure, because although the other
private account holder cannot access the folder itself, they can defeat
the security settings on it. This is because they can access the
properties page for the folder, and even though they cannot initially
change the permissions for the folder, they can access the ownership
properties page for the folder, which shows that "Administrators" as
well as I can take ownership of the folder. Then, by changing ownership
of the folder from my account to "Administrators" , they can then
change the privileges to give "Administrators" full control. And,
because their account is part of the "Administrators" group, they end
up with access to the folder.

I tried to prevent this from happening by logging on as
"Administrator," goiing into Control Panel -> Administrative Tools ->
Local Security Settings -> User Rights Assignments, and I changed the
value for Take Ownership of Files or Other Objects from
"Administrators" to "Administrator". Now, (after a reboot) the other
person cannot, from their account, change the ownership of my private
folder to "Administrators" and then proceed to unlock it because
"Administrators" no longer shows up as a possible owner of the folder.

But this security provision can also be defeated, because, the other
user can go into User Rights Assignment and change the permission for
Take Ownership of Files or Other Objects back to "Administrators" from
"Administrator"! Even if I delete the "Administrators" group, (which as
I understand under XP cannot be restored once deleted), the other user
can still add their own account to the permissions for Take Ownership
of Files or Other Objects" (because, it appears, any user with
administrative privilveges can alter the security settings). So my
folder is still not secure.

Is there a way to prevent any user besides the "Administrator" from
accessing "Administrative Tools" or "Local Security Settings?" Any
other ideas? Am I missing something?

Thanks
Anonymous
May 28, 2005 5:14:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The User Accounts applet only allows Administrator and Limited. Click Start, Run and enter LUSRMGR.MSC and you can change the group membership here to Power User or any other valid user type. You can also do this from Start, Run and entering

CONTROL USERPASSWORDS2 Highlight the username, select Properties, Group Membership.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

<nolonemo@yahoo.com> wrote in message news:1117299518.086308.241960@o13g2000cwo.googlegroups.com...
>I have the "Administrator" account on a WinXP Pro computer (and do
> administer the computer). I also have my private account on the
> computer, that is an administrator type account. Another private
> account for another user also is an aministrator type account. (I can
> only see options for two kinds of accounts in WinXp (adminstrator and
> limited) unlike Win2k, which I recall had more -- am I right about
> WinXP having only two? I think my problem wouldn't exist under Win2k
> because I could set up the private accounts as "power users") Thus, the
> other private account is a member of the "Administrators" group. For
> reasons I won't go into here, the other private account must have admin
> rights. Simple file sharing" is turned off on the system.
>
> I have created a private folder on the machine that has its security
> settings set only to allow access to me (i.e., no sharing, and only my
> private account is given any permissions.
>
> However, the folder is not really secure, because although the other
> private account holder cannot access the folder itself, they can defeat
> the security settings on it. This is because they can access the
> properties page for the folder, and even though they cannot initially
> change the permissions for the folder, they can access the ownership
> properties page for the folder, which shows that "Administrators" as
> well as I can take ownership of the folder. Then, by changing ownership
> of the folder from my account to "Administrators" , they can then
> change the privileges to give "Administrators" full control. And,
> because their account is part of the "Administrators" group, they end
> up with access to the folder.
>
> I tried to prevent this from happening by logging on as
> "Administrator," goiing into Control Panel -> Administrative Tools ->
> Local Security Settings -> User Rights Assignments, and I changed the
> value for Take Ownership of Files or Other Objects from
> "Administrators" to "Administrator". Now, (after a reboot) the other
> person cannot, from their account, change the ownership of my private
> folder to "Administrators" and then proceed to unlock it because
> "Administrators" no longer shows up as a possible owner of the folder.
>
> But this security provision can also be defeated, because, the other
> user can go into User Rights Assignment and change the permission for
> Take Ownership of Files or Other Objects back to "Administrators" from
> "Administrator"! Even if I delete the "Administrators" group, (which as
> I understand under XP cannot be restored once deleted), the other user
> can still add their own account to the permissions for Take Ownership
> of Files or Other Objects" (because, it appears, any user with
> administrative privilveges can alter the security settings). So my
> folder is still not secure.
>
> Is there a way to prevent any user besides the "Administrator" from
> accessing "Administrative Tools" or "Local Security Settings?" Any
> other ideas? Am I missing something?
>
> Thanks
>
Anonymous
May 28, 2005 9:32:30 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Doug Knox MS-MVP May 28, 1:14 pm show options

Newsgroups: microsoft.public.windowsxp.security_admin
From: "Doug Knox MS-MVP" <d...@mvps.org> - Find messages by this author

Date: Sat, 28 May 2005 13:14:01 -0400
Local: Sat,May 28 2005 1:14 pm
Subject: Re: How to prevent ownership change by users with admin
rights?
Reply | Reply to Author | Forward | Print | Individual Message | Show
original | Report Abuse

The User Accounts applet only allows Administrator and Limited. Click
Start, Run and enter LUSRMGR.MSC and you can change the group
membership here to Power User or any other valid user type. You can
also do this from Start, Run and entering


CONTROL USERPASSWORDS2 Highlight the username, select Properties,
Group Membership.


--


Thanks very much, Doug, changing the other user account to Power User
prevents access to the security policies in Control Panel and should
give the user sufficient rights for their account's purpose.
Anonymous
May 29, 2005 1:20:53 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You're welcome.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

<nolonemo@yahoo.com> wrote in message news:1117326750.500729.239160@o13g2000cwo.googlegroups.com...
> Doug Knox MS-MVP May 28, 1:14 pm show options
>
> Newsgroups: microsoft.public.windowsxp.security_admin
> From: "Doug Knox MS-MVP" <d...@mvps.org> - Find messages by this author
>
> Date: Sat, 28 May 2005 13:14:01 -0400
> Local: Sat,May 28 2005 1:14 pm
> Subject: Re: How to prevent ownership change by users with admin
> rights?
> Reply | Reply to Author | Forward | Print | Individual Message | Show
> original | Report Abuse
>
> The User Accounts applet only allows Administrator and Limited. Click
> Start, Run and enter LUSRMGR.MSC and you can change the group
> membership here to Power User or any other valid user type. You can
> also do this from Start, Run and entering
>
>
> CONTROL USERPASSWORDS2 Highlight the username, select Properties,
> Group Membership.
>
>
> --
>
>
> Thanks very much, Doug, changing the other user account to Power User
> prevents access to the security policies in Control Panel and should
> give the user sufficient rights for their account's purpose.
>
!