Remove Administrators from Ownership Tab

[Guest]

Hi,

I want to remove the "Administrators" group and "Administrator" user from
the ownership tab. This is required so that even the administrators of the
machine cannot change the permissions and / or take the ownership of the
folders.

Thanks

Rajesh Thareja

 

[Shenan Stanley]

I want to remove the "Administrators" group and "Administrator"
user from the ownership tab. This is required so that even the
administrators of the machine cannot change the permissions and /
or take the ownership of the folders.

If a user is an administrator - and they know what they are doing - they can
do whatever they want on the machine for which they are administrator.

 

[Guest]

Dear Stanley,

I understand what you are saying. But I want to separate my folder
structures in such a way that even administrator should not have any access
to a specific folder.

I have simple straight question that is it possible to some how restrict an
administrator to take ownership of a folder.

Rajesh

 

[Shenan Stanley]

I want to remove the "Administrators" group and "Administrator"
user from the ownership tab. This is required so that even the
administrators of the machine cannot change the permissions and /
or take the ownership of the folders.

If a user is an administrator - and they know what they are doing -
they can do whatever they want on the machine for which they are
administrator.

I understand what you are saying. But I want to separate my folder
structures in such a way that even administrator should not have
any access to a specific folder.

I have simple straight question that is it possible to some how
restrict an administrator to take ownership of a folder.

Can't be done. That's my point.
Not with file/folder permissions or anything of that nature.

You can encrypt them/secure them with a password with a third party
application or even just in a ZIP folder.. But you cannot limit the
administrative level user unless you make them NOT administrative level
users.

An administrator can do what they want on a system. That is by design.
They have FULL rights and can take back any rights denied to them by
forceful means and there is no way around that other than removing their
rights.. This may sound dumb - but you have to consider what responsibility
the administrator is supposed to have. They administer the computer and
everything on it. They have to be "all powerful" to do this. They have to
have access to the files/folders on the system - so no mechanism in Windows
takes away this right.

You can password protect the folder (sort of).. Use the built in compression
utility, a third party utility or EFS or some similar third party
application like it to compress & password/encrypt the data within a folder.
You should be careful and follow very strict and recommend practices for
such things - because not even the administrator can help you if you
misplace the key/do the wrong thing.

 

[Doug Knox MS-MVP]

Use Group Policies. Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment. Take ownership is one of the valid Group Policies that you can apply.

 

[Shenan Stanley]

Use Group Policies. Local Computer Policy, Computer
Configuration, Windows Settings, Security Settings, Local Policies,
User Rights Assignment. Take ownership is one of the valid Group
Policies that you can apply.

Curiosity question:

Does that really do anything to another administrator who would also know
(or be able to ask) how to UNDO that?

 

[Doug Knox MS-MVP]

As you pointed out, an Administrator can do just about anything they want. If they know enough, there isn't much you can do to stop them.

 

[Guest]

Thanks for the tip,

I will try this and see if it works.

Thanks once again.

 

[Guest]

On a domain, by using this group policy we will be able to restrict he local
administrators from modifying the ownerships.

So you can have a hierarchy where the super admin will have a better control
then the local administrator.

It would be even better if some how we can disable the local administrators
of the machines.

Rajesh Thareja
http://www.slcltd.com

As you pointed out, an Administrator can do just about anything they want. If they know enough, there isn't much you can do to stop them.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Leythos]

Hi,

I want to remove the "Administrators" group and "Administrator" user from
the ownership tab. This is required so that even the administrators of the
machine cannot change the permissions and / or take the ownership of the
folders.

There is NOTHING you can do to prevent an Administrator from doing
anything they want with your computer/files, that's why you only make
Administrators that you trust.

If you have something to hide on your computer, move them to your home
computer.

If you have secure information and you don't trust your Administrator,
well, it's time to get new administrators.

 

[Robert Moir]

On a domain, by using this group policy we will be able to restrict
he local administrators from modifying the ownerships.

So you can have a hierarchy where the super admin will have a better
control then the local administrator.

It would be even better if some how we can disable the local
administrators of the machines.

Perhaps, and this is just a wild thought here, not giving admin level
accounts to people you do not trust might just do the trick. As has been
pointed out to you, administrators essentially "own" the machines that they
are administrators on. Instead of giving everyone admin rights and then
getting into an arms race with them, do not give out administrator rights to
anyone you do not trust to have them.


--
--
Rob Moir, Microsoft MVP
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked "Have you
checked (event viewer / syslog)".

 

[Bruce Chambers]

I have simple straight question that is it possible to some how restrict an
administrator to take ownership of a folder.

Rajesh

Simple, straight answer: It can't be done.

If you have a user whom you cannot trust, do not give him/her
administrative privileges.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

 

[Bruce Chambers]

On a domain, by using this group policy we will be able to restrict he local
administrators from modifying the ownerships.

On a domain, normal users are *not* nortmally granted administrative
privileges; doing so completely undermines the whole point of domain
security.

So you can have a hierarchy where the super admin will have a better control
then the local administrator.

There's no such thing as a "super admin." Are you refering to the
Domain Administrator, as opposed to local workstation Administrators?

It would be even better if some how we can disable the local administrators
of the machines.

There's no need to disable the local administrators group. In feact,
if you do, you won't be able to centrally manage the domain's
workstations. Simply don't allow users administrative privileges.





--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

 

[Kerry Brown]

Delete all local administrator accounts (except the default administrator)
from the machines. Give the default local administrator a strong password.
Don't give out the password. Make sure domain accounts are not allowed local
administrator permissions. Delegate control of specific OU's via the
delegate control wizard in the Active Directory Users and Computers console.
Don't give out domain administrator accounts. This is pretty basic domain
management. Even with this anyone who somehow gets local administrator
status could undo all the local changes and someone with domain admin status
could undo domain changes. The answer is simple. Don't give administrator
accounts to people who don't need them.

--
Kerry
MS-MVP Windows - Shell/User

On a domain, by using this group policy we will be able to restrict
he local administrators from modifying the ownerships.

So you can have a hierarchy where the super admin will have a better
control then the local administrator.

It would be even better if some how we can disable the local
administrators of the machines.

Rajesh Thareja
http://www.slcltd.com

 

[Steven L Umbach]

Though technically it can be done as Doug suggested I agree with the others
that except for fairly unknowledgeable users you can not expect such to
realistically provide any measure of security. Also keep in mind that local
administrators can backup and restore data on the computer which means that
they can access non encrypted files without being the owner or having any
permissions. --- Steve