Is there a 'dominant administrator account'?

[Steve Hawkins]

I'm rather puzzled by behaviour of my account on a shared XPPro pc.

I have been having problems setting up Google Desktop for 2 admin users (see
my other thread - no takers yet), briefly, I can set up GD no probs: other
user gets 'invalid id' messages.

During investigation I am surprised to find that from my 'side' I am able to
read the other administrator user's files via Windows Explorer, but when I
am trying to look at things from 'her side' I cannot open my own folders.
This happens even after I have removed the log on password from my account.

I was also, a little disturbed to find that, even when I had the password
set, I could still remove it (or apparently remove it) from the other
administrator's account.

Can somebody tell me what is going on here?
Also, is it possible to set my account so that another administrator cannot
change my password without having to give it?
Might this phenomenon explain why one user is unable to load the GD
software.
I have looked at the security tab info for Windows Explorer and both users
have the same permissions apparently.
I have also wondered why our log on dialogues only allow for Administrator
Users, and Users, even though there are several other categories of user
when one looks in the Management screens?

Why is it that I seem to have 'super administrator' powers when it comes to
loading programmes and reading other people's files?

Any further helpful info would be much appreciated.

Regards,

Steve_H

 

[Kerry Brown]

By definition any administrator can do anything on a computer. You cannot
stop another administrator from changing your password or accessing your
files. You would have to change the other user to a standard user to stop
them from doing this. If you set your files as private or change the NTFS
permissions manually another administrator cannot access your files without
taking ownership. Once they take ownership they would have full access.

 

[Tom Porterfield]

I'm rather puzzled by behaviour of my account on a shared XPPro pc.

I have been having problems setting up Google Desktop for 2 admin users
(see my other thread - no takers yet), briefly, I can set up GD no probs:
other user gets 'invalid id' messages.

During investigation I am surprised to find that from my 'side' I am able
to read the other administrator user's files via Windows Explorer, but
when I am trying to look at things from 'her side' I cannot open my own
folders. This happens even after I have removed the log on password from
my account.
I was also, a little disturbed to find that, even when I had the password
set, I could still remove it (or apparently remove it) from the other
administrator's account.

Can somebody tell me what is going on here?
Also, is it possible to set my account so that another administrator
cannot change my password without having to give it?
Might this phenomenon explain why one user is unable to load the GD
software.
I have looked at the security tab info for Windows Explorer and both users
have the same permissions apparently.
I have also wondered why our log on dialogues only allow for Administrator
Users, and Users, even though there are several other categories of user
when one looks in the Management screens?

Why is it that I seem to have 'super administrator' powers when it comes
to loading programmes and reading other people's files?

Short answer, it sounds like you have marked your profile directory as
private and the other administrators have not. If they are admin, they can
still get to your files but the process is a multistep one. They would
first have to take ownership of your profile directory. Alternatively they
could go in and modify the security attributes on your profile directory.

The easiest way to toggle this setting is to go to the profile folder under
Documents and Settings, right click on the folder, go to the Sharing tab and
click the "Make this folder private..." line.

As far as changing another user's password, any admin can change anyone
elses password on the machine.

 

[Guest]

Thanks very much Kerry and Tom.

As it happens you are lucky to be getting a reply because, had I been able
to get at my pc yesterday I would not have known that my question had been
answered. I have been reading the newsgroups via Outlook Express, and had
often been miffed at apparently getting no replies to my queries. Yesterday
I checked on line via IE on another machine and found your two answers.
Today, back on my machine, there are no answers, but here you are still! I
probably owe apologies to a number of other helpers, certainly including R Mc
Carty, who I now find did answer my question about the hour glass icon for IE
back in July after all!

I've been using ntl, is that the problem?

Anyhow, back to the original question: I had not been using 'simple file
sharing' for some time since we got an HP printer which only had permissions
for administrators and 'power users', and we took ages to find this out
because 'simple file sharing' hides the 'security' tabs and we had no idea
they were there...

Thus I had not seen the 'make my folders private' dialogue for some time and
had forgotten that I had used this option prior to ending 'simple file
sharing'.

Now with your reminders I was able to open files from either side while I
checked out my problem with Google Desktop (Working for one Admin user but
getting into a loop in the set up dialogue for the second.)

I had been trying to 'give some permission' to the second user to use GD,
but try as I might could not do anything that made any difference at her end.


Then I 'gave up' and tried to get control of my folders back...

I had added the second user and/or administrator privilages to several of
the folders in my 'profile tree', in my experiments, and also experimented
with ownerships, so I wanted a quick way of setting all 'my' folders back to
'me only'.

Was surprised to find that re-establishing 'simple' file sharing and opting
to make my folders 'private', left all the extra permissions I had tried,
still in place.

With some trepidation I eventually used the strangely captioned tickbox
"replace permission entries on all child objects with entries shown here that
apply to child objects", and held my breath as all the folders in my profile
tree were reset to me plus system - which took some time. Then found that
despite this, many of 'my folders' were not under 'my ownership', so with
equal trepidation ticked to take ownership of all my subfolders, and waited
even longer than it had taken for the permissions to be changed, for the
reassignment to be finished.

Well, after all that, the last thing I expected was to find, when I switched
over to the other user's account, that Google Desktop was now 'cured' and
working fine!

I expect I've committed all kinds of fundamental errors in this procedure,
which no doubt some of you may enlighten me on, but it is very nice to have
the GD working properly, even if I don't really know why!

Kind regards,

Steve_H