I don't have a box available to test this at the moment. Is it possible to make one user a Restricted User and another a Standard User and have the Standard User log on and change the Restricted User to an Administator?
--WIN2K
Printable View
I don't have a box available to test this at the moment. Is it possible to make one user a Restricted User and another a Standard User and have the Standard User log on and change the Restricted User to an Administator?
--WIN2K
Hi,
Are all the patches there?
What rights does the "standard user" have?
I saw a post on this site about a vulnerability in Black Ice
My gut feel is that you would have to elevate standard user to administrator first?
Cheers
I set some users as a POWER USER and that is where this discussion arose. Someone told me they found something written that said a POWER USER can change a USER's PERMISSIONS which means a POWER USER could make a USER into an ADMINISTRATOR.
Sorry mate, I did not catch on at first.
A "power user" is almost at administrator level and would be able to grant LOCAL administrator rights (depending on what was granted to "power user") This would not give him system administrator rights.
Where the problem might arise is if you only have one administrators group? and you make power user a member?.Windows assumes the highest possible authority, so that makes "power user" system administrator, and he can elevate others by adding them to the group?
Does that help?
EDIT: You need to see what the authorities for power user are on your system and change therm to suit you.
A Power User cannot do this. First, the Users and Groups control panel applet is only accessable to users in the Administrator group.
Second, a Power User can add an account using Control Userpasswords2, but cannot make the user a member of a group higher than Power Users.
Without executing some type of exploit against an application or service, Power Users cannot make Administrator privelaged users.
EDIT: nihil, your too fast! That's right....If the Power User in question was a member of the Administrator Group, he would now (for all intents and purposes) be an Administrator.
Permissions are usually applied from the Top down, meaning Group permissions, then User permissions, then directory and file permissions, with the most restrictive permission being the effective one, but members of the Administrators Group are an exception, as they always have full access, regardless of the settings of any other permission type.
I was thinking the same thing. If anything it could give lower priv up to equal but no more than current.
576869746568617 and I are saying the same thing..............he is coming from the properly structured environment, I am coming from the badly structured one.
Yes, within the "rules" you cannot elevate anyone above yourself, I guess that has been true since NT4.0 SP3?
The common mistake is to make a power user an administrator as 576869746568617 said.
Like I said, Windows will grant you the highest possible authority through "inheritance".....seem to remember that word from one of their technical documents years ago :)
So long as you set a proper "top down" structure, you should be OK
Cheers