Administrators v Administrator security differences

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have this issuing going on where I can access a piece of software
when I'm logged in as "Administrator" but I can not access it when I'm
logged in as "user10" who is part of the Administrators group.

Everything I look at says the "user10" should have the same access level
as the "Administrator" account.

What are the differences from the "Administrator" account and being part of
the "Administrators" group.

HELP
 
Glenn Kreisel said:
I have this issuing going on where I can access a piece of software
when I'm logged in as "Administrator" but I can not access it when I'm
logged in as "user10" who is part of the Administrators group.

Everything I look at says the "user10" should have the same access level
as the "Administrator" account.

What are the differences from the "Administrator" account and being part of
the "Administrators" group.

HELP
Click to expand...

The Administrator can be the owner of a file or registry section and exclude
other Administrators from accessing it... however, any other member of the
Administrators group could then take ownership of the file and change the
permissions. But just being a member of the group doesn't give you access
to everything. In fact, even a user who is the owner of a file could set it
so that Administrators can't access it without taking ownership and changing
the permissions.
 
Ok I tracked down the problem even further....

The software is failing on a CreateThread() API call when logged in as
"User10"
but not as "Administrator". The "User10" is part of "Administrators" group.
The CreateThread() never starts the new thread and never returns.

On our dev server all users work. It is just our production server that this
happens on. Win2k SP 3

Any IDEA??? Been driving us nuts..
 
I've tracked this down further...

It appeas like the call to CreateThread() is not creating a new thread and
not returning to the application if i'm logged in as "User10". If I login as
"Administrator" everything works great!

The "User10" is part of the Administrators group.

Any IDEAS??
 
Glenn Kreisel said:
I have this issuing going on where I can access a piece of software
when I'm logged in as "Administrator" but I can not access it when I'm
logged in as "user10" who is part of the Administrators group.

Everything I look at says the "user10" should have the same access level
as the "Administrator" account.

What are the differences from the "Administrator" account and being part of
the "Administrators" group.

HELP
Click to expand...

hmm, now that is stranger. i would still check all the files associated
with the software and make sure they allow access to 'everyone', don't have
any deny's that might exclude other users, things like that... probably a
bit of a longshot but something worth looking at. also check any registry
entries for the software, if it was installed by 'Administrator' and not set
up specifically for all users to have access there may be some settings
stored in the 'Administrator' profile that wouldn't be accessible by other
users.

one way to test for account dependencies like that is to reinstall the
software as user10 and see if it works then. if it does then there is
something that is not getting setup the way you probably want.

you might also want to ask in a group for the specific language you are
using to see if there are any gotchas in the createthread call that is
failing.
 
The administrator is a member of the administrators group but the
administrator account may have different permissions and rights than the
administrators group. What may help is to enable auditing of object access
on that computer and audit the file/files/folder that the user is having
trouble accessing. I would also enable auditing of privilege use for success
and failure until the problem is resolved. Look in the security log of Event
Viewer for pertinent events. Also keep in mind that if the user is a member
of another group with deny permissions/user rights then that can cause
failed access. Filemon and regmon from SysInternals may also help you. The
links below should help more. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.sysinternals.com/ntw2k/source/filemon.shtml
 
Back
Top