View Full Version : i want to give users more access, not full control
08-04-2001, 01:41 AM
hello....i am running win2k and ihave a problem...i am the admin and i have a 1 power user account...i often use that account, but i do not give it full control because i have some legal documents and personal information that is hidden and inaccessable by others in a certain directory....
what i want to do is give that power user account full access to the computer(access to edit the registry and install drivers and programs), but i dont want whomever who is on this computer to have access to my financial and personal information...what should i do? is there any user more powerful than a power user but less powerful than an admin?
thanks a lot
08-04-2001, 02:32 AM
Apply Win2K the way is was designed for: manage your file system objects with permissions. No need to modify Power User group as such.
You have two ways:
add permissions to the folders that contain your confidential data and any folder below. By setting this permission you remove the rights of all other users and user groups from this (these) specific folders.
if it gets more complex (multiple users with same permissions):
create a new User Group, and add/remove the priviledged users to this. Then rather managing the file system object permission for each individual user, give permission to the group.
Howto: check both my responses in the following thread and the one metioned there too:
<a target="_blank" href=http://forums.winguides.com/showthreaded.php?Cat=&Board=secwinnt&Number=18879&page=0>http://forums.winguides.com/showthreaded.php?Cat=&Board=secwinnt&Number=18879&page=0</a>
Regards - Richard
08-04-2001, 10:43 AM
here is what i did...i created a new user group called subadmin, and i put the main user under that group...i then went into the permissions and disallowed any subadmins from accessing those folders in any way...the only problem is that the subadmin is able to change the permissions...how can i take away the power to change permissions while leaving the power to access everything else?
i know that somewhere within windows 2000 there has to be a place where you can dictate the privelages user groups have over eachother...
thanks a lot richard....
08-04-2001, 10:52 AM
im an idiot so i replied to my own post...just making sure you see my message...thanks a lot
08-04-2001, 02:59 PM
message to yourself received /images/w3t/icons/smile.gif
"...disallowed any subadmins from accessing those folders in any way..."
if you disallowed by Denying permissions, take care: denial will be considered before any allowing permissions and you may be locking out users.
What J learnt for WinNT/2K is, that it is better to be positive - give some entity a permission (eg via an additional usergroup).
"...the only problem is that the subadmin is able to change the permissions..."
It seems to me that Ownership of the folder belongs still to the original user, and if that happened to be any Admin, then ownership goes to the Administrators group. Please follow the links given above to see how you take over ownership of an object and give it to the new usergroup (J don't want to retype - thanks).
Regards - Richard
08-04-2001, 10:42 PM
exactly where do i go to disclose the permissions i want to give? i re-created the folder with the admin user name, and now the subadmin doesnt have access to it, but how would i give the subadmin access to everything in the computer, such as the registry and access to editing all files except those forbidden my the admin?
08-06-2001, 09:19 PM
(1) from your wording J am not sure if you are mixing Users and User Groups. Each User may belong to one or more user groups.
To help administrating a machine, your Windows system comes with a set of predefined user Groups: Administrators, Power Users, Users and Guests, Backup Operator etc. They have some predefined specific permissions.
The initial admin account defined at setup time is allocated to Administrators group. Any other newly created user accounts is first standalone and you can allocate it to one of these initial groups or one you created yourself.
If a new user needs admin rights, you allocate him/her to Administrators and the person gets all administrative rights. There is nothing like a "subadmin" to start with.
Don't mix a users permission to access the file system with the function permissions as allocated to the initial user groups. The Administrators have one permission that normal users don't have: they can take ownership of any file system object belonging to someone else. For non-admin users, the current owner specifies who (if anyone) may take ownership and change the attributes on file system object. The user account creating a file system object becomes its initial owner, even if created in a directory owned by someone else (as example: if you don't like that, don't give others permission to write to the directory).
(2) now back to your problem:
So to have a protected directory: define it using your username (doesn't matter if you are member of Administrators or not).
Then claim exclusive ownership (if you are member of Administrators, all file system objects become initially also accessible to this group, depending where you opened that directory, you may be inheriting permissions). Open Windows Explorer and goto the directory that contains the folder you want to have private.
Right-click and choose Properties, then select the Security tab.
First make sure, that you are the real owner of this folder (then only another admin can take away this directory from you, but you will notice this breach of privacy):
click the Advanced button, and on the new dialog the Owner tab. If you are not listed in the top shaded area as the owner, choose your Id in the list below, use the checkbox to propagate to possibly existing lower level items and Apply. OK button to quit dialog.
Then back on the Security tab: should you not be in the list of the permitted users, add yourself with the Add... button. Click on any other entry and then the Remove button. Make sure, that the Inherit checkbox is not marked. Make sure you have marked full access permission for you. Click OK and its yours only.
Should you want to run applications out of this directory (and not only keep data in it), you may have to have user SYSTEM included in above user list (with either full control or read & execute permission).
(3) should anyone else need to access this data:
Goto the Security tab as before, Add any user (or user group you defined for this purpose) and make sure they have only the basic permissions to the directory (Read, possibly Write, etc). Never set "may take ownership" or that user or any member of that user group may grab it from you.
(4) functionality such as Registry access:
There is a set of Policies that control access to tools and functions. Use GPEDIT.MSC (from Start>Run ) to handle other restrictions. But you can also use plain file system object permissions as seen before to restrict access to exe files (eg Regedit.exe). There are several ways to get to the final result. A bit difficult to discuss in a forum message.
(5) "...registry and access to editing all files except those forbidden my the admin..."
as mentioned in my previous post: don't forbid things (don't use Deny permission) - allow them.
Define user groups to control things (eg "FinanceDataReaders" or "FinanceDataWriters"), if necessary define conceptual user accounts ("FinanceData") just for the purpose of controlling things - make them exclusive owner of objects, then have access permissions defined to others (individuals or groups).
Regards - Richard
08-19-2001, 09:03 PM
Sorry i havent replied in a while, but i have been very busy with work. Okay, i have tried what you told me to do but apparently i do not have enough knowledge of windows 2000 to do it...WHere and HOW do i define what the groups have access to. I want my subadmin to have complete access to everything, except what is forbidden by the administrator. This means that they can do everything on my computer except for accessing one directory which has financial information.
Thanks a lot for your time
08-20-2001, 01:39 AM
"...WHere and HOW do i define what the groups have access to..."
at the object you want to manage (or say protect, or give special permissions for) - not the user or user group.
in Windows Explorer select the file system object (file or folder), then right-click, open the Properties dialog, then choose Security tab. Next follow pt (2) in my previous post.
"...I want my subadmin to have complete access to everything, except what is forbidden by the administrator...."
Maybe J am repeating myself, in Win2K you do not have such a thing as a "Subadmin", eg an Admin with less rights (basic rule for standalone systems - if you are on a domain with Active Directory, you can use Group Policies and delegate certain admin functionality). And J told you, best not deny permissions, cause the result of merging permissions for a user from different sources may not be what you want (denying will override positive access permissions).
"...that they can do everything on my computer except for accessing one directory which has financial information..."
Yes. Just follow pt (2) of my previous post to first secure the Financial directory (of course if it exists, no need to create it again) by making sure that you personally (eg your account) is the only owner - and not the Administrators group. Then your "subadmins" are locked out of it.
If a "subadmin" would want to look at this private data, he / she would have to take over ownership, and you would notice this, cause you could see this if you check it. If the subadmin who does such an action is not very clever, you may loose your access rights and notice it this way. But if you want to be quite sure what's going on, you can setup auditing on this directory and then check if someone was trying to access this folder.
"..., i have tried what you told me to do ..."
try to tell me which steps you can do and where my description is insufficient.
Regards - Richard
08-20-2001, 04:53 AM
okay, i understand it so far..now my problem is giving the subadmins access to EVERYTHING on my computer..i did what you said and now they cannot access the finacial directory...but they also cannot install certain programs...i want them to have access to everything but that directory...
08-20-2001, 06:10 AM
"...my problem is giving the subadmins access to EVERYTHING on my computer..."
as J mentioned in my previous post, you either have regular users (with varying restrictions) or you have administrators with full rights. You allocate the user accounts to the Administrators group and they inherit all rights of this group - that is full control over this machine.
Once more: there is no such thing as a subadministrator with less rights than the initial Admin account that was setup during installation of the operating system.
Open the ControlPanel > Users and Passwords applet.
Choose Advanced tab.
In area Advanced User Management click button Advanced.
The MMC with Local Users and Groups opens.
Click on the Users node in the tree view.
For each account (person) that should have "EVERYTHING" do:
- double-click the account (or right-click on the account and choose Properties)
- in the user Properties choose "Member of" tab
- click the Add... button
- click on the Administrators group entry (probably the top one), click on Add button (or just double-click that entry).
- click OK -> you will see all groups the user belongs to (by default when creating the account, it was given to the "Users" group).
- click OK
- repeat until all done
Use one of the accounts to verify your settings, especially privacy of that Finance directory. Create an extra test account if you don't want to use someone elses account.
Regards - Richard
08-20-2001, 08:04 AM
Hi - J ust want to add these remarks:
(1) J was refering to the admins rights, these priviledges are primary of functional nature, and do not refer to the permission of the file system. That means that an admin still only has access to data that the owner of an object has granted him (granted either to another account personally, or to a user group).
The only special right that any admin has in regard to the file system, is the right to take ownership of an object away from any other user account and assign it to the Administrators group.
(2) J followed your request to show how to setup security the way you wished to have it. From my point of view this setup is "sub-optimal".
Reasoning: Win2K was built to support secure data processing. When each user has Admin rights, this works against this design target. Eg when a person without admin rights picks up a virus, the chances are that it will be contained only in the files of that user. If that user only has read and execute rights on program files, the virus cannot infect that software. For a user with admin rights this virus can spread across the whole machine and infect each account and anything it wishes.
Better approach: Have a single Admin account (the one from installation) and share its password among the group of users. Teach the group to only do most necessary maintenance work and software installation using this Admin account. For daily work, each user should login with their personal account, and have this allocated either to user group "User" or "Power User" only.
Regards - Richard