On 2005-01-28 Miroslaw Slawek Chorazy wrote:
'fraid not. Local administrators can take ownership of any file, and
any registry key. The owner of a file/reg key can change its
permissions. Always. No matter what.
But because the scenario Edward describes is an Active Directory
Domain then he has additional tools at his disposal...
There exists a policy setting in \Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment\ This
security setting determines which users can take ownership of any
securable object in the system, including Active Directory objects,
files and folders, printers, registry keys, processes, and threads.
What if he removes local 'Administrators' group from having this right
and adds 'Domain Administrators' group (of which he is hopefully a
member) and then if he further applies permissions to the registry key
which applies to the above policy and removes the local administrator
and substitutes it for "domain administrators" then in theory it
should work Ricardo is suggesting?
AFAICS they could easily re-assign the "Take Ownership" privilege to
themselves, so this doesn't look like a solution to me. Plus, the
purpose of local administrators is the administration of the local
machine. That's why they *have* the privilege to take the ownership of
each file/object. Instead of revoking the privilege you should actually
ask yourself whether the members of the local administrators group
really need to be members of that group.
Regards
Ansgar Wiechers
--
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
---------------------------------------------------------------------------
---------------------------------------------------------------------------
