Results 1 to 7 of 7

Thread: Permissions

  1. #1
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828

    Permissions

    I don't have a box available to test this at the moment. Is it possible to make one user a Restricted User and another a Standard User and have the Standard User log on and change the Restricted User to an Administator?

    --WIN2K

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    Are all the patches there?

    What rights does the "standard user" have?

    I saw a post on this site about a vulnerability in Black Ice

    My gut feel is that you would have to elevate standard user to administrator first?

    Cheers

  3. #3
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    I set some users as a POWER USER and that is where this discussion arose. Someone told me they found something written that said a POWER USER can change a USER's PERMISSIONS which means a POWER USER could make a USER into an ADMINISTRATOR.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Sorry mate, I did not catch on at first.

    A "power user" is almost at administrator level and would be able to grant LOCAL administrator rights (depending on what was granted to "power user") This would not give him system administrator rights.

    Where the problem might arise is if you only have one administrators group? and you make power user a member?.Windows assumes the highest possible authority, so that makes "power user" system administrator, and he can elevate others by adding them to the group?

    Does that help?

    EDIT: You need to see what the authorities for power user are on your system and change therm to suit you.

  5. #5
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    A Power User cannot do this. First, the Users and Groups control panel applet is only accessable to users in the Administrator group.

    Second, a Power User can add an account using Control Userpasswords2, but cannot make the user a member of a group higher than Power Users.

    Without executing some type of exploit against an application or service, Power Users cannot make Administrator privelaged users.

    EDIT: nihil, your too fast! That's right....If the Power User in question was a member of the Administrator Group, he would now (for all intents and purposes) be an Administrator.

    Permissions are usually applied from the Top down, meaning Group permissions, then User permissions, then directory and file permissions, with the most restrictive permission being the effective one, but members of the Administrators Group are an exception, as they always have full access, regardless of the settings of any other permission type.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  6. #6
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    I was thinking the same thing. If anything it could give lower priv up to equal but no more than current.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    576869746568617 and I are saying the same thing..............he is coming from the properly structured environment, I am coming from the badly structured one.

    Yes, within the "rules" you cannot elevate anyone above yourself, I guess that has been true since NT4.0 SP3?

    The common mistake is to make a power user an administrator as 576869746568617 said.

    Like I said, Windows will grant you the highest possible authority through "inheritance".....seem to remember that word from one of their technical documents years ago

    So long as you set a proper "top down" structure, you should be OK

    Cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •