- Administer windows server 2008 pdf files
- Administrative tasks using PowerShell cmdlets
- Download: Windows Server 2008 Administration Fundamentals Lectures.pdf
- How to Reset Windows Server 2008 Domain Admin Password
- 11 Replies
- Configuring Windows Server 2008 R2 File Sharing
- Subscribe to RSS
- Administer a Server Core server
- Publisher's Description
Administer windows server 2008 pdf files
At this point I thought that Administrator should still have access and "no one" doesn't apply to me :. After answering OK, I lost all control over the permissions window and got "Access denied" message. The only option was to take ownership and put back Administrator with Full Control. Is there a Linux root equivalent in Windows that can have access to a file without granting full control?
If not, is the only option to administrate files in Windows is to give Administrator Full Control to ALL files I'm excluding the take ownership option as not practical? Unless your Administrator user has permissions to perform an action on a file either explicitly, or through group membership , he will not be able to perform the action on the file.
An administrative user will always be able to take ownership of a file, and change permissions that way. It's not especially clear what you mean by this, but in general, if you want a user to administer a file or folder, yeah, they need to have the filesystem permissions to do so. You could make sysadmins use plain User accounts and give them accounts with Administrator access when they need to do administrative tasks like assign permissions.
The security dialogs all support UAC now, after all. However, elevation through impersonation is not easy or practical in every environment or situation, and there are still oddball tasks that make administrator-through-elevation-prompt-only difficult at best.
Most third party vendors, IMX, still require full Administrator rights to the systems that their software is installed on because developers hate documenting what security they need and vendor technicians hate having to deal with security on a system they won't manage. EXE tasks.
Administrative tasks using PowerShell cmdlets
Again, they do this because the developers don't want to document or maintain documentation for what permissions their program actually needs, not because they actually need SYSTEM access.
Only SYSTEM has access to the files that store the security databases, even though those passwords are stored encrypted. It's far more permissions than they need. As you discovered, it's possible with NTFS to have folders or files for which no ACE exists, and therefore no account can access the file or folder, including SYSTEM although the system is always allowed to still enumerate the item, the ACL, and the owner, just not any contents or children of the object.
The file or folder owner is the only means to restore access in this state. It's not practical not to use Full Control. You need to assign the Administrators group Full Control to what they need to administer because Full Control grants the Change Permissions permission. You could try to figure out what permissions you need to manage an entire folder using just the components, but you'll quickly find you'll have to basically grant Full Control to be able to do any real administration anyways.
Unlike chown , you can only assign ownership to yourself or to the Administrators group.
Download: Windows Server 2008 Administration Fundamentals Lectures.pdf
Depending on how your backup software works, however, you might need a script to take control of files on your file servers. Also note that Administrators have Take Ownership on the root folder of every disk in the system.
How to Reset Windows Server 2008 Domain Admin Password
You're not actually preventing a malicious member of the group from doing anything. They already have the keys to the kingdom, as it were. It's not defense in depth because there's no actual additional security mechanism.
You just have to ask for ownership and you get it. Home Questions Tags Users Unanswered.
Asked 4 years, 11 months ago. Active 4 years, 11 months ago.
Viewed 2k times. This is what I did on my Windows r2 Logged in as Administrator UAC is disabled for a test sake Select a folder Edit Advanced Permissions Uncheck"Include inheritable permissions" and click on Remove button to remove inheritable permissions Got a message "No one will be able to access the folder except for the owner". At this point I thought that Administrator should still have access and "no one" doesn't apply to me : After answering OK, I lost all control over the permissions window and got "Access denied" message.
HopelessN00b Bibi Bibi 63 1 1 silver badge 6 6 bronze badges. HopelessN00b HopelessN00b Thanks for a quick response.
Configuring Windows Server 2008 R2 File Sharing
Is that the best practice? Bibi No.
An administrator can always take ownership of a file or folder and get full control permissions that way. Sorry I'm new to this So I will need to take ownership change permissions and then change owner back to the original owner? To add to this the original owner will not be able to use the files while I'm doing it. Bibi Changing the owner back is optional, but generally a good idea, yes.
Actually it more than that if I understand it correctly. To set permissions I will need to: 1. Take ownership 2. Assign Full Control to Administrators 3. Set permissions 4. Bacon Bits Bacon Bits 1, 1 1 gold badge 9 9 silver badges 8 8 bronze badges. Thanks for the quick response Are you saying that the best practice would be to remove Administrators Full Control and use take ownership when needed to set permissions or administer the file in any other way?
Subscribe to RSS
Or would you rather say setting Administrators Full Control at the drive level and inheriting from it is the best practice? Bibi The latter. The best practice option is to have sysadmins have two accounts: one in Users that they log in with and use normally, and one in Administrators that they elevate to as needed. It's putting hoops up that are harder to jump through than sudo or su , so many locations have sysadmins log in as Admins and rely on UAC as much as possible.
Bibi I guess my question would be: what are you trying to accomplish by removing Full Control? Are you trying to prevent casual privacy violations?
Do you have non-sysadmins with Administrator permissions? Or are you just trying to administer Windows like it was Linux? Because there's a lot of philosophical differences that resulted in design differences between the platforms, so not every practice is portable. It's perfectly possible to secure Windows, but you don't necessarily do it by copying what you do on Linux.
Administer a Server Core server
I mentioned Linux root specifically regarding permissions handling. Since this is a different question already I started a new thread here serverfault. Sign up or log in Sign up using Google. Sign up using Facebook.
Sign up using Email and Password. Post as a guest Name. Email Required, but never shown.