Folder permissions and take ownership

G

Gunna

Hi, I have a need to put an Active Directory group into the Administrators
group on a number of machines for various reasons which cannot be stopped.
The problem is there is an application on these machines that I do no want
them to be able to access and the aaplication has no ability to request
crednetials etc. It's just a dumb application.

I considered using FOlder permissions to lock out the local administrator
group from the folder. This stopped them from running the application until
I when in as one of the users and simple took ownership of the folder and
gave myself access. Then I tried adding a deny take ownership of the folder
to the local admin group. Again it just allowed me to take ownership
assuming becuase local admins can do that regardless of the deny rule I just
created.

Can anyone suggest how to stop them taking ownsership and from being able to
run the application?
 
S

Shenan Stanley

Gunna wrote:
> I have a need to put an Active Directory group into the
> Administrators group on a number of machines for various reasons
> which cannot be stopped. The problem is there is an application on
> these machines that I do no want them to be able to access and the
> aaplication has no ability to request crednetials etc. It's just a
> dumb application.
>
> I considered using FOlder permissions to lock out the local
> administrator group from the folder. This stopped them from
> running the application until I when in as one of the users and
> simple took ownership of the folder and gave myself access. Then I
> tried adding a deny take ownership of the folder to the local admin
> group. Again it just allowed me to take ownership assuming becuase
> local admins can do that regardless of the deny rule I just created.
>
> Can anyone suggest how to stop them taking ownsership and from
> being able to run the application?

If someone is an administrator on a computer - other than encryption and
other password-based limitations - you are not going to 'stop' them from
doing just about anything they please.

In other words - "administrators" is the default name of the group for a
reason. They can administer everything on the computer as they see fit.

What is this unstoppable reason to make these users administrators?
Political I assume?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
G

Gunna

Yeh i thought you might say that. Partly political partly just a US company
and US mentality that "we" must be in control of all things...



"Shenan Stanley" wrote:

> Gunna wrote:
> > I have a need to put an Active Directory group into the
> > Administrators group on a number of machines for various reasons
> > which cannot be stopped. The problem is there is an application on
> > these machines that I do no want them to be able to access and the
> > aaplication has no ability to request crednetials etc. It's just a
> > dumb application.
> >
> > I considered using FOlder permissions to lock out the local
> > administrator group from the folder. This stopped them from
> > running the application until I when in as one of the users and
> > simple took ownership of the folder and gave myself access. Then I
> > tried adding a deny take ownership of the folder to the local admin
> > group. Again it just allowed me to take ownership assuming becuase
> > local admins can do that regardless of the deny rule I just created.
> >
> > Can anyone suggest how to stop them taking ownsership and from
> > being able to run the application?
>
> If someone is an administrator on a computer - other than encryption and
> other password-based limitations - you are not going to 'stop' them from
> doing just about anything they please.
>
> In other words - "administrators" is the default name of the group for a
> reason. They can administer everything on the computer as they see fit.
>
> What is this unstoppable reason to make these users administrators?
> Political I assume?
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>
 
M

Malke

Gunna wrote:

> Yeh i thought you might say that. Partly political partly just a US
> company
> and US mentality that "we" must be in control of all things...

Interesting. I would have thought that was a human condition and not limited
to a national mindset. In any case, Shenan is correct. If you are going to
give your users administrative powers, then they can do anything they want.
End of story. Either find a way to do what you need that doesn't include
making your users administrators or live with the consequences. Document
your actions. CYA isn't limited to any particular country.

Malke
--
MS-MVP
Elephant Boy Computers - Don't Panic!
FAQ - http://www.elephantboycomputers.com/#FAQ
 
You must log in or register to reply here.

Similar threads

J
Quickly take ownership of files
Replies
0
Views
44
jonathans computers
J
T
Why cant I sometimes take ownership of some items despite I'M the admin/pc owner
Replies
0
Views
54
The Brain Lord
T
S
Desktop Permissions Issue - Windows 10 22H2
Replies
0
Views
46
S_D
S
D
Can't take ownership of a folder even though effective access says I have permissions to do it
Replies
0
Views
80
DY4Y
D
S
When restoring permissions to the Windows Apps Folder is it normal to have six files fail to restore stating 'access is denied'?
Replies
0
Views
61
ScottATL999
S
Back
Top Bottom