Question about Access 2000 Security

[Jon Lewis]

I open Access 2000 logging on as User1 using MyCustom.mdw. User1 is a
member of the Admins group. The default user Admin has been removed from
the Admins group.

Ceating a new database, User1 owns the database and all the objects they
create.

All permissions for all objects are removed from the Users group and the
Admin and User1 users.

Full permissions for all objects are granted to the Admins group.

Database is closed & saved and Access is exited.

What I cannot understand is this:

If I try to open this new database without MyCustom.mdw (i.e. with just the
standard and unmodified system.mdw) I get the "You do not have the necessary
permisions to use the <New.mdb> object..." error message.

How can this be when in the standard system.mdw the default "Admin" user is
a member of the Admins group?

TIA

 

[Joseph Meehan]

I open Access 2000 logging on as User1 using MyCustom.mdw. User1 is a
member of the Admins group. The default user Admin has been removed
from the Admins group.

Ceating a new database, User1 owns the database and all the objects
they create.

All permissions for all objects are removed from the Users group and
the Admin and User1 users.

Full permissions for all objects are granted to the Admins group.

Database is closed & saved and Access is exited.

What I cannot understand is this:

If I try to open this new database without MyCustom.mdw (i.e. with
just the standard and unmodified system.mdw) I get the "You do not
have the necessary permisions to use the <New.mdb> object..." error
message.
How can this be when in the standard system.mdw the default "Admin"
user is a member of the Admins group?

TIA

Well if they made it that simple, how secure would the database be? You
need the mdw file that the file was secured under.

 

[Jon Lewis]

Are you saying then that the default Admins group in an unmodified
system.mdw file is different (i.e. has a different PID) to the default
Admins group in a different modified mdw file because if that is case why is
removing the default user Admin from the Admins group a basic Access
security implementation requirement?

 

[Joan Wild]

The Users Group and the Admin user is the same in every mdw. The Admins
Group is different. You do not want the common Admin user to have any
permissions in your secure database, so you don't want them to be a member
of the Admins Group.

 

[Jon Lewis]

That makes sense Joan. What is still confusing though is that if you remove
all explicit permissions for the Admin user and Users group and having
changed the ownership of any Admin owned objects why the need to remove the
Admin user from the Admins group when, if the Admins group is specific to a
MDW file, no implicit permissions would be inherited from the Admins group
of a different MDW file?

 

[Joan Wild]

If the Admin user is a member of the Admins Group, they *will* inherit all
the permissions you've given the Admins Group (in the new workgroup). The
Tools, security, permissions dialog shows you only explicit permissions, it
doesn't show you the implicit permissions that a user inherits from any
groups they are members of.

Presumably the Admins Group in your secure mdw has full permissions; if the
Admin user is a member of that group, they'll inherit all those permissions.

The permissions are stored in the mdb file, not in the mdw.

 

[Jon Lewis]

If the Admin user is a member of the Admins Group, they *will* inherit all

the permissions you've given the Admins Group (in the new workgroup).

But these will have no value with the secured MDB/E as it's the wrong Admins
group

The Tools, security, permissions dialog shows you only explicit
permissions, it doesn't show you the implicit permissions that a user
inherits from any groups they are members of.

Presumably the Admins Group in your secure mdw has full permissions; if
the Admin user is a member of that group, they'll inherit all those
permissions.

So what! You've given the Admin user a password in the secured MDW
- just as hard to crack as User1 (Legitimate member of Admins group)'s
password
although I suppose it's arguable that no Admin group members names would be
known.

Still think removing Admin from Admins is a bit of a red herring. <Grin>

Thanks for your input

 

[Joan Wild]

But these will have no value with the secured MDB/E as it's the wrong
Admins group

But the Admins Group in your secured mdw generally has full/complete
permissions in your secure mdb. You don't want the generic Admin User to
have these permissions.