User Profiles owned by Administrators security group - Not the user.

[Guest Bob]

Hi,

 

I'm running into file ownership and permission problems especially as it

pertains to users redirected folders. I'm finding that if a user should

become a member of the domain Administrators security group, any files

created or modified during that time will be owned by the Administrators

group and the permissions will not include the user. Once the user is

removed from the Administrators group, they will no longer have access to

these files.

 

Examples of the problems this causes:

 

1) The user opens Outlook while a member of the Administrators group. After

returning to Doman Users, Outlook fails because the user no longer has

permission to the MSO1033.acl file.

 

2) Parts of folder redirection revert back to the local profile due to

permission problems.

 

 

I suspect this problem is with all Windows products. i.e. A home Windows XP

user that was once an Administrator will find their profile to be

inaccessible if they should ever become a standard user.

 

Reference:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsce_ctl_gstb.mspx?mfr=true

 

Any ideas on how to circumvent this problem (other than to never remove a

user from the Administrators and/or Domain Admins group)?

 

--

Thanks,

Bob

[Guest Chang Yin]

RE: User Profiles owned by Administrators security group - Not the user.

 

Hello Bob,

 

Thank you for your post. This is George and I will be assisting you in this

post.

 

From your description, I understand that:

 

Firstly you added a normal user to the Administrators group, logged on use

this user, and then made some changes or create a folder. After a while,

you removed this user from the Administrators group. Then you found some

folders or files can't be changed by the same user.

 

If there is any misunderstanding, please let me know.

 

Analysis:

===========

 

Actually, this is a by-design feature since Windows NT but has been changed

in Windows Vista. When any files or folders are created by a member of

administrators group, the ownership will be set to the Administrators group

by default. So after the member is removed from the administrators group,

he will no longer have the administrative permission for that file or

folder, because the ownership is still the administrators group.

 

Suggestion:

===========

 

For Windows Server 2003 and Windows XP, we have a group policy to adjust

this behavior:

 

Open an appropriate GPO in Group Policy Object Editor, navigate to

"Computer Configuration -> Windows Settings -> Security Settings -> Local

Policies -> Security Options -> System Objects: Default owner for objects

created by members of the Administrators group". You can change the value

here to "Object creator".

 

Please note that the above setting only affected the files created after

this policy setting is applied. For previously-created files, the ownership

will not be replaced automatically.

 

Also, I have established a similar test environment and checked the above

group policy setting. It worked as expected in my test server.

 

By the way, just for your reference, it is a "Best Practice" suggestion

that all IT administrative engineers use "normal" user accounts when not

performing administrative tasks, and use "RUN AS" command to launch

administrative tasks in Administrator context while still logs on as normal

users. Also, Administrator privileges should only be assigned to trusted

engineers on server based computers.

 

I hope this helps. Thank you and have a nice day!

 

Sincerely,

George Yin

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

[Guest Bob]

Re: User Profiles owned by Administrators security group - Not the user.

 

Thanks George,

 

I'll give it a try!

 

--

Thanks,

Bob

[Guest Chang Yin]

Re: User Profiles owned by Administrators security group - Not the user.

 

Hello Bob,

 

Thank you for the reply.

 

If this method doesn't work, please feel free to let me konw. I look

forward to your reply.

 

Have a nice day!

 

Sincerely,

George Yin

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

[Guest Bob]

Re: User Profiles owned by Administrators security group - Not the user.

 

Okay George, I gave it a try and it seems to work just fine. Glad to hear

that Vista (and presumably Windows 2008) have made this a default setting.

It was a real pain to have to fix all the ACL's that became inaccessible

after removing the Administrators Group from a particular user. Your

suggestion should stop any future problems in that area.

 

--

Thanks,

Bob

[Guest Chang Yin]

Re: User Profiles owned by Administrators security group - Not the user.

 

Hello Bob,

 

Thank you for getting back to me.

 

Hope everything goes well.

 

It's been a pleasure working with you. If you need further assistance,

please feel free to let me know.

 

Have a nice day!

 

Sincerely,

George Yin

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.