A simple security question.

[Chris Conley]

Even though the Domain Admin is not on my allow list for a
specific resource he can still gain access correct? If I
implicitly deny access will he still be able to change the
security parms back to allow?

 

[Phillip Windell]

Yes. He just takes "ownership" of the object then sets the permission they
way he wants.

 

[Chris Conley]

-----Original Message-----
Yes. He just takes "ownership" of the object then sets the permission they
way he wants.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Even though the Domain Admin is not on my allow list for a
specific resource he can still gain access correct? If I
implicitly deny access will he still be able to change the
security parms back to allow?

.
I explicitly deny all control to the Domain Admin.

 

[Chris Conley]

What if I explicitly deny the Domain Admin Full control to
all of C: drive?

 

[Phillip Windell]

Try it and see.

 

[Richard G. Harper]

It's a waste of time since you cannot deny a domain admin or local admin the
right to take ownership of an object.

It might help us determine how we can really help you (instead of simply
answering questions) if you gave us a clue on what you're trying to
accomplish here.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Phillip Windell]

Just a guess,...maybe a user that wants to keep the IT Admin out of their
machine?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

It's a waste of time since you cannot deny a domain admin or local admin the
right to take ownership of an object.

It might help us determine how we can really help you (instead of simply
answering questions) if you gave us a clue on what you're trying to
accomplish here.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

What if I explicitly deny the Domain Admin Full control to
all of C: drive?

 

[Richard G. Harper]

That was my guess too ... just wondered if he'd say it out loud.

I am a Domain Admin. I control the horizontal. I control the vertical.
If only I were an Exchange Admin, so I could read your Email. ;-)

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Just a guess,...maybe a user that wants to keep the IT Admin out of their
machine?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

It's a waste of time since you cannot deny a domain admin or local admin the
right to take ownership of an object.

It might help us determine how we can really help you (instead of simply
answering questions) if you gave us a clue on what you're trying to
accomplish here.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

What if I explicitly deny the Domain Admin Full control to
all of C: drive?

 

[Steven L Umbach]

They would not be able to access or logon to the computer. Of course they could
always change it back. You have to be an administrator on the local computer to do
that. I would not recommend doing such unless authorized. --- Steve

 

[Jeff Cochran]

Even though the Domain Admin is not on my allow list for a
specific resource he can still gain access correct? If I
implicitly deny access will he still be able to change the
security parms back to allow?

Simple analogy. You can take all the keys to the kingdom away from a
Domain Admin, but he has the power to keys. You can't stop him (and
will likely only make him mad...).

Jeff

 

[Phillip Windell]

Simple analogy. You can take all the keys to the kingdom away from a
Domain Admin, but he has the power to keys. You can't stop him (and
will likely only make him mad...).

And that wouldn't be pretty. It might result in upgrading the PC to a
Manual Typewriter, a pencil sharpener and an Abacus.

 

[Richard G. Harper]

Pencil sharpener? You are generous to your minions, aren't you?

<VBG>

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Phillip Windell]

Pencil sharpener? You are generous to your minions, aren't you?

....can't have them sharpening it with a pocket knife,...they aren't allowed
to have weapons at work either... ;-)

 

[Richard G. Harper]

Ah - reasonable point.
I keep forgetting that not every workplace has scalpels. ;-)

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm