A simple security question.

  • Thread starter Thread starter Chris Conley
  • Start date Start date
C

Chris Conley

Even though the Domain Admin is not on my allow list for a
specific resource he can still gain access correct? If I
implicitly deny access will he still be able to change the
security parms back to allow?
 
Yes. He just takes "ownership" of the object then sets the permission they
way he wants.
 
-----Original Message-----
Yes. He just takes "ownership" of the object then sets the permission they
way he wants.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Chris Conley said:
Even though the Domain Admin is not on my allow list for a
specific resource he can still gain access correct? If I
implicitly deny access will he still be able to change the
security parms back to allow?
Click to expand...


.
I explicitly deny all control to the Domain Admin.
Click to expand...
 
It's a waste of time since you cannot deny a domain admin or local admin the
right to take ownership of an object.

It might help us determine how we can really help you (instead of simply
answering questions) if you gave us a clue on what you're trying to
accomplish here.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Just a guess,...maybe a user that wants to keep the IT Admin out of their
machine?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Richard G. Harper said:
It's a waste of time since you cannot deny a domain admin or local admin the
right to take ownership of an object.

It might help us determine how we can really help you (instead of simply
answering questions) if you gave us a clue on what you're trying to
accomplish here.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Chris Conley said:
What if I explicitly deny the Domain Admin Full control to
all of C: drive?
Click to expand...
Click to expand...
 
That was my guess too ... just wondered if he'd say it out loud.

I am a Domain Admin. I control the horizontal. I control the vertical.
If only I were an Exchange Admin, so I could read your Email. ;-)

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Phillip Windell said:
Just a guess,...maybe a user that wants to keep the IT Admin out of their
machine?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Richard G. Harper said:
It's a waste of time since you cannot deny a domain admin or local admin the
right to take ownership of an object.

It might help us determine how we can really help you (instead of simply
answering questions) if you gave us a clue on what you're trying to
accomplish here.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Chris Conley said:
What if I explicitly deny the Domain Admin Full control to
all of C: drive?
Click to expand...
Click to expand...
Click to expand...
 
They would not be able to access or logon to the computer. Of course they could
always change it back. You have to be an administrator on the local computer to do
that. I would not recommend doing such unless authorized. --- Steve
 
Even though the Domain Admin is not on my allow list for a
specific resource he can still gain access correct? If I
implicitly deny access will he still be able to change the
security parms back to allow?
Click to expand...

Simple analogy. You can take all the keys to the kingdom away from a
Domain Admin, but he has the power to keys. You can't stop him (and
will likely only make him mad...).

Jeff
 
Jeff Cochran said:
Simple analogy. You can take all the keys to the kingdom away from a
Domain Admin, but he has the power to keys. You can't stop him (and
will likely only make him mad...).
Click to expand...

And that wouldn't be pretty. It might result in upgrading the PC to a
Manual Typewriter, a pencil sharpener and an Abacus.
 
Richard G. Harper said:
Pencil sharpener? You are generous to your minions, aren't you?
Click to expand...

....can't have them sharpening it with a pocket knife,...they aren't allowed
to have weapons at work either... ;-)
 
Ah - reasonable point.
I keep forgetting that not every workplace has scalpels. ;-)

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Back
Top