Can someone point me to a resource that diffinatively states whether the
ability to create users and groups is limited to the Admins Group and that
the permission to do so can not be assigned to another group?

I created a new group and assigned Administrate permissions (and all the
other ones) to all items, including the database. Users in this group have
no problem assigning permissions to items to existing users, but are unable
to create new users.

I need a reference to confirm that this is the expected behavior that I can
show a client.

Thanks

I imagine (but have not tested) that any user or group who is granted
Administer permission on the database object, would be able to create
new users and groups. A user could be granted that permission without
being a member of the Admins group.

Try that out & see if it works. If it does, that would answer your
question conclusively. Post back here to say if it works.

HTH,
TC

I have tried it and on Access 2000 SP 3a administrative permissions on the
database and all of its objects does not appear to be suffiecent to create
users. Membership in the admins group appears required. However, I can not
find this explicitly documented anywhere. Some knowledgebase articles seem
to imply this is the case, but I am looking for something explicit.

Thanks

"TC" wrote:

> I imagine (but have not tested) that any user or group who is granted
> Administer permission on the database object, would be able to create
> new users and groups. A user could be granted that permission without
> being a member of the Admins group.
>
> Try that out & see if it works. If it does, that would answer your
> question conclusively. Post back here to say if it works.
>
> HTH,
> TC
>
>

Quoting from p 374 of "Microsoft jet Database Engine Programmers
Guide" from Microsoft Press (1995, Jet ver 3)

The Admins group is designed to hold user accouts for people who are
true administrators of the workgroup. They manage user and group
membership and have the power to clear users' passwords.


Thats as close as I have seen to something stating that you must be a
member of Admins to manage the user accounts.



On Fri, 15 Apr 2005 22:09:02 -0700, "P. Fogg" <P.
(E-Mail Removed)> wrote:

>I have tried it and on Access 2000 SP 3a administrative permissions on the
>database and all of its objects does not appear to be suffiecent to create
>users. Membership in the admins group appears required. However, I can not
>find this explicitly documented anywhere. Some knowledgebase articles seem
>to imply this is the case, but I am looking for something explicit.
>
>Thanks
>
>"TC" wrote:
>
>> I imagine (but have not tested) that any user or group who is granted
>> Administer permission on the database object, would be able to create
>> new users and groups. A user could be granted that permission without
>> being a member of the Admins group.
>>
>> Try that out & see if it works. If it does, that would answer your
>> question conclusively. Post back here to say if it works.
>>
>> HTH,
>> TC
>>
>>


**********************
(E-Mail Removed)
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security

Thank you. That's pretty close. Does it indicate whether those powers can
be deligated to another group?



"Jack MacDonald" wrote:

> Quoting from p 374 of "Microsoft jet Database Engine Programmers
> Guide" from Microsoft Press (1995, Jet ver 3)
>
> The Admins group is designed to hold user accouts for people who are
> true administrators of the workgroup. They manage user and group
> membership and have the power to clear users' passwords.
>
>
> Thats as close as I have seen to something stating that you must be a
> member of Admins to manage the user accounts.
>
>
>
> On Fri, 15 Apr 2005 22:09:02 -0700, "P. Fogg" <P.
> (E-Mail Removed)> wrote:
>
> >I have tried it and on Access 2000 SP 3a administrative permissions on the
> >database and all of its objects does not appear to be suffiecent to create
> >users. Membership in the admins group appears required. However, I can not
> >find this explicitly documented anywhere. Some knowledgebase articles seem
> >to imply this is the case, but I am looking for something explicit.
> >
> >Thanks
> >
> >"TC" wrote:
> >
> >> I imagine (but have not tested) that any user or group who is granted
> >> Administer permission on the database object, would be able to create
> >> new users and groups. A user could be granted that permission without
> >> being a member of the Admins group.
> >>
> >> Try that out & see if it works. If it does, that would answer your
> >> question conclusively. Post back here to say if it works.
> >>
> >> HTH,
> >> TC
> >>
> >>
>
>
> **********************
> (E-Mail Removed)
> remove uppercase letters for true email
> http://www.geocities.com/jacksonmacd/ for info on MS Access security
>

"P. Fogg" wrote in message:
news:355E626F-9E6D-415D-BA2C-(E-Mail Removed)...

> I have tried it and on Access 2000 SP 3a administrative permissions on the
> database and all of its objects does not appear to be suffiecent to create
> users. Membership in the admins group appears required. However, I can not
> find this explicitly documented anywhere. Some knowledgebase articles seem
> to imply this is the case, but I am looking for something explicit.

Yes, most of the documentation just implies that you must be a member
of the Admins group. You'll see it in a lot of code comments as well:
' Must be a member of the Admins Group

It's just one of those things that is "known" by people that use Access User
Level Security. In addition to the quote that Jack was able to find, here
is another one that you can freely use:

"You must me a member of the Admins Group in order to create and manage
Users and Groups."
- - Jeff Conrad Access Junkie, April 16th, 2005

Will that work for your client?
:-)

As TC touched upon, you can allow non-Admins users the ability to manage
user accounts by "temporarily" giving them Admin-type rights for a split
second. You do this by creating a new temporary workspace of someone
who is a member of the Admins group. There is information on this subject
in the Security FAQ which you can find here:

http://support.microsoft.com/?kbid=207793

--
Jeff Conrad
Access Junkie
Bend, Oregon

Thanks for your help.

"Jeff Conrad" wrote:

> "P. Fogg" wrote in message:
> news:355E626F-9E6D-415D-BA2C-(E-Mail Removed)...
>
> > I have tried it and on Access 2000 SP 3a administrative permissions on the
> > database and all of its objects does not appear to be suffiecent to create
> > users. Membership in the admins group appears required. However, I can not
> > find this explicitly documented anywhere. Some knowledgebase articles seem
> > to imply this is the case, but I am looking for something explicit.
>
> Yes, most of the documentation just implies that you must be a member
> of the Admins group. You'll see it in a lot of code comments as well:
> ' Must be a member of the Admins Group
>
> It's just one of those things that is "known" by people that use Access User
> Level Security. In addition to the quote that Jack was able to find, here
> is another one that you can freely use:
>
> "You must me a member of the Admins Group in order to create and manage
> Users and Groups."
> - - Jeff Conrad Access Junkie, April 16th, 2005
>
> Will that work for your client?
> :-)
>
> As TC touched upon, you can allow non-Admins users the ability to manage
> user accounts by "temporarily" giving them Admin-type rights for a split
> second. You do this by creating a new temporary workspace of someone
> who is a member of the Admins group. There is information on this subject
> in the Security FAQ which you can find here:
>
> http://support.microsoft.com/?kbid=207793
>
> --
> Jeff Conrad
> Access Junkie
> Bend, Oregon
>
>
>

"P. Fogg" wrote in message:
news:BCEA74F5-2049-4706-927D-(E-Mail Removed)...

> Thanks for your help.

You're welcome, good luck with your project.

I also noticed a small typo in my previous response, sorry.
The quote should look like this:

"You must be a member of the Admins Group in order to create and manage
Users and Groups."
- - Jeff Conrad Access Junkie, April 16th, 2005

--
Jeff Conrad
Access Junkie
Bend, Oregon

No it doesn't say.


On Sat, 16 Apr 2005 09:43:01 -0700, "P. Fogg" <P.
(E-Mail Removed)> wrote:

>Thank you. That's pretty close. Does it indicate whether those powers can
>be deligated to another group?
>
>
>
>"Jack MacDonald" wrote:
>
>> Quoting from p 374 of "Microsoft jet Database Engine Programmers
>> Guide" from Microsoft Press (1995, Jet ver 3)
>>
>> The Admins group is designed to hold user accouts for people who are
>> true administrators of the workgroup. They manage user and group
>> membership and have the power to clear users' passwords.
>>
>>
>> Thats as close as I have seen to something stating that you must be a
>> member of Admins to manage the user accounts.
>>
>>
>>
>> On Fri, 15 Apr 2005 22:09:02 -0700, "P. Fogg" <P.
>> (E-Mail Removed)> wrote:
>>
>> >I have tried it and on Access 2000 SP 3a administrative permissions on the
>> >database and all of its objects does not appear to be suffiecent to create
>> >users. Membership in the admins group appears required. However, I can not
>> >find this explicitly documented anywhere. Some knowledgebase articles seem
>> >to imply this is the case, but I am looking for something explicit.
>> >
>> >Thanks
>> >
>> >"TC" wrote:
>> >
>> >> I imagine (but have not tested) that any user or group who is granted
>> >> Administer permission on the database object, would be able to create
>> >> new users and groups. A user could be granted that permission without
>> >> being a member of the Admins group.
>> >>
>> >> Try that out & see if it works. If it does, that would answer your
>> >> question conclusively. Post back here to say if it works.
>> >>
>> >> HTH,
>> >> TC
>> >>
>> >>
>>
>>
>> **********************
>> (E-Mail Removed)
>> remove uppercase letters for true email
>> http://www.geocities.com/jacksonmacd/ for info on MS Access security
>>


**********************
(E-Mail Removed)
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security

Jeff Conrad wrote:

(snip)

> As TC touched upon, you can allow non-Admins users the ability to
manage
> user accounts by "temporarily" giving them Admin-type rights for a
split
> second. You do this by creating a new temporary workspace of someone
> who is a member of the Admins group.

Jeff, that's not what I suggested. I suggested giving a
non-admins-group member, 'Administer' permission on the database
object.

It seems that no-one has a definitive reference for the OP's question
:-)

The fact that "members of the Admins group can create new users &
groups", does not logically imply that you *must* be a member of the
Admins group in order to do that. Logically speaking, it could still be
possible to delagate that permission to some other user or group. That
is what the OP asks. I would have thought 'yes', but everyone else is
saying 'no'.

I'll do some testing myself, & post back here within a few days. My aim
will be to create a user who is *not* a member of the Admins group, but
who *can* create new users & groups. This would definitively answer the
OP's question.

Cheers all,
TC