Guest Bob Posted December 13, 2007 Posted December 13, 2007 Hi, I'm running into file ownership and permission problems especially as it pertains to users redirected folders. I'm finding that if a user should become a member of the domain Administrators security group, any files created or modified during that time will be owned by the Administrators group and the permissions will not include the user. Once the user is removed from the Administrators group, they will no longer have access to these files. Examples of the problems this causes: 1) The user opens Outlook while a member of the Administrators group. After returning to Doman Users, Outlook fails because the user no longer has permission to the MSO1033.acl file. 2) Parts of folder redirection revert back to the local profile due to permission problems. I suspect this problem is with all Windows products. i.e. A home Windows XP user that was once an Administrator will find their profile to be inaccessible if they should ever become a standard user. Reference: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsce_ctl_gstb.mspx?mfr=true Any ideas on how to circumvent this problem (other than to never remove a user from the Administrators and/or Domain Admins group)? -- Thanks, Bob
Guest Chang Yin Posted December 14, 2007 Posted December 14, 2007 RE: User Profiles owned by Administrators security group - Not the user. Hello Bob, Thank you for your post. This is George and I will be assisting you in this post. From your description, I understand that: Firstly you added a normal user to the Administrators group, logged on use this user, and then made some changes or create a folder. After a while, you removed this user from the Administrators group. Then you found some folders or files can't be changed by the same user. If there is any misunderstanding, please let me know. Analysis: =========== Actually, this is a by-design feature since Windows NT but has been changed in Windows Vista. When any files or folders are created by a member of administrators group, the ownership will be set to the Administrators group by default. So after the member is removed from the administrators group, he will no longer have the administrative permission for that file or folder, because the ownership is still the administrators group. Suggestion: =========== For Windows Server 2003 and Windows XP, we have a group policy to adjust this behavior: Open an appropriate GPO in Group Policy Object Editor, navigate to "Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> System Objects: Default owner for objects created by members of the Administrators group". You can change the value here to "Object creator". Please note that the above setting only affected the files created after this policy setting is applied. For previously-created files, the ownership will not be replaced automatically. Also, I have established a similar test environment and checked the above group policy setting. It worked as expected in my test server. By the way, just for your reference, it is a "Best Practice" suggestion that all IT administrative engineers use "normal" user accounts when not performing administrative tasks, and use "RUN AS" command to launch administrative tasks in Administrator context while still logs on as normal users. Also, Administrator privileges should only be assigned to trusted engineers on server based computers. I hope this helps. Thank you and have a nice day! Sincerely, George Yin Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Guest Bob Posted December 14, 2007 Posted December 14, 2007 Re: User Profiles owned by Administrators security group - Not the user. Thanks George, I'll give it a try! -- Thanks, Bob
Guest Chang Yin Posted December 17, 2007 Posted December 17, 2007 Re: User Profiles owned by Administrators security group - Not the user. Hello Bob, Thank you for the reply. If this method doesn't work, please feel free to let me konw. I look forward to your reply. Have a nice day! Sincerely, George Yin Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Guest Bob Posted December 20, 2007 Posted December 20, 2007 Re: User Profiles owned by Administrators security group - Not the user. Okay George, I gave it a try and it seems to work just fine. Glad to hear that Vista (and presumably Windows 2008) have made this a default setting. It was a real pain to have to fix all the ACL's that became inaccessible after removing the Administrators Group from a particular user. Your suggestion should stop any future problems in that area. -- Thanks, Bob
Guest Chang Yin Posted December 20, 2007 Posted December 20, 2007 Re: User Profiles owned by Administrators security group - Not the user. Hello Bob, Thank you for getting back to me. Hope everything goes well. It's been a pleasure working with you. If you need further assistance, please feel free to let me know. Have a nice day! Sincerely, George Yin Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Recommended Posts