Seeing who has what file open

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I am a local administrator on a 2000 domain and am not a
domain admin. I do not have the rights to see who has
what file open on our server. I am told that one must be
a Domain Admin to be able to do this. Is this true??
What kind of cockimamy idea was it of Microsoft's to
require domain admin membership just to see who has a file
open on one's local server.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

A local administrator on a domain [or any] computer has a lot of power. Why do you
believe you can not see who has files open? What error do you get? It is possible
that there are Group Policy restrictions that can also apply to the local
administrator while logged on as a domain member. If you logon to the local machine
as administrator then user configuration Group Policy from the domain or OU would not
apply to you. There is a user right for debug programs that by default has the
administrators group as members. If that has been removed then some system utilities
will not run or only run with certain features. Many of the utilities from
SysInternals require debug user right. If that user right has been configured at the
domain/OU level as shown by local setting being different than "effective" setting in
Local Security Policy, there is nothing you can do about it. Of course the local
administrator can always remove a computer from the domain, but I would not recommend
that without permission from domain admins and the local administrator may not be
able to join the computer to the domain. --- Steve

"Rockitman" <anonymous@discussions.microsoft.com> wrote in message
news:c98601c48a27$b27e0f20$a401280a@phx.gbl...
>I am a local administrator on a 2000 domain and am not a
> domain admin. I do not have the rights to see who has
> what file open on our server. I am told that one must be
> a Domain Admin to be able to do this. Is this true??
> What kind of cockimamy idea was it of Microsoft's to
> require domain admin membership just to see who has a file
> open on one's local server.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

First of all, this server is a Domain Controller. Thus I
have no ability to login locally to the machine. I must
always login to the domain as a domain user. I am a
member of an administrative group that gives me rights to
my OU but it is very limited. The error I get when I go
into Computer Management, Shared Folders, Open Files is:

"System encountered the following error while reading the
list of open files: Error 5: Access denied"

I'm not privy to group policies so not sure if I am cut
off there or not. All the domain admins will tell me is
that I have to be a domain admin to be able to see the
open files. Not fair! I cannot do my job effectively
without this ability. Oh I yearn for the old days of
Novell.
>-----Original Message-----
>A local administrator on a domain [or any] computer has a
lot of power. Why do you
>believe you can not see who has files open? What error do
you get? It is possible
>that there are Group Policy restrictions that can also
apply to the local
>administrator while logged on as a domain member. If you
logon to the local machine
>as administrator then user configuration Group Policy
from the domain or OU would not
>apply to you. There is a user right for debug programs
that by default has the
>administrators group as members. If that has been removed
then some system utilities
>will not run or only run with certain features. Many of
the utilities from
>SysInternals require debug user right. If that user right
has been configured at the
>domain/OU level as shown by local setting being different
than "effective" setting in
>Local Security Policy, there is nothing you can do about
it. Of course the local
>administrator can always remove a computer from the
domain, but I would not recommend
>that without permission from domain admins and the local
administrator may not be
>able to join the computer to the domain. --- Steve
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

OK. If the server is a domain controller you are out of luck as domain controllers do
not have local administrators - just domain administrators. Those bastards! --- Steve

"Rockitman" <anonymous@discussions.microsoft.com> wrote in message
news:d1e301c48abd$3dc13220$a401280a@phx.gbl...
> First of all, this server is a Domain Controller. Thus I
> have no ability to login locally to the machine. I must
> always login to the domain as a domain user. I am a
> member of an administrative group that gives me rights to
> my OU but it is very limited. The error I get when I go
> into Computer Management, Shared Folders, Open Files is:
>
> "System encountered the following error while reading the
> list of open files: Error 5: Access denied"
>
> I'm not privy to group policies so not sure if I am cut
> off there or not. All the domain admins will tell me is
> that I have to be a domain admin to be able to see the
> open files. Not fair! I cannot do my job effectively
> without this ability. Oh I yearn for the old days of
> Novell.
>>-----Original Message-----
>>A local administrator on a domain [or any] computer has a
> lot of power. Why do you
>>believe you can not see who has files open? What error do
> you get? It is possible
>>that there are Group Policy restrictions that can also
> apply to the local
>>administrator while logged on as a domain member. If you
> logon to the local machine
>>as administrator then user configuration Group Policy
> from the domain or OU would not
>>apply to you. There is a user right for debug programs
> that by default has the
>>administrators group as members. If that has been removed
> then some system utilities
>>will not run or only run with certain features. Many of
> the utilities from
>>SysInternals require debug user right. If that user right
> has been configured at the
>>domain/OU level as shown by local setting being different
> than "effective" setting in
>>Local Security Policy, there is nothing you can do about
> it. Of course the local
>>administrator can always remove a computer from the
> domain, but I would not recommend
>>that without permission from domain admins and the local
> administrator may not be
>>able to join the computer to the domain. --- Steve
>>
>