Re: Windows Systemwiederherstellung

Carsten Krueger wrote:

Microsoft selbst rät von dieser Änderung ab,

Bitte wo?

"Threats and Countermeasures: Security Settings in Windows Server 2003
and Windows XP (v2, aber auch schon in v1)", die Referenz für die Group
Policy schlechthin

| System objects: Default owner for objects created by members of the
| Administrators group
| [...]
| Vulnerability
| If you configure this policy setting to Administrators group, it will
| be impossible to hold individuals accountable for the creation of new
| system objects.
|
| Countermeasure
| Configure the System objects: Default owner for objects created by
| members of the Administrators group setting to Object creator.
|
| Potential Impact
| When system objects are created, the ownership will reflect which
| account created the object instead of the more generic Administrators
| group. A consequence of this policy setting is that objects will
| become orphaned when user accounts are deleted. [...] This potential
| burden can be minimized if you can ensure that Full Control is always
| assigned to new objects for a domain group such as Domain Admins.

Damit bringst du nämlich Berechtigungen durcheinander.

Nö.

Doch. Eine Datei, die der Admin erstellt, wird allen Admins zugerechnet.
Das ist semantisch falsch.


Was ist mit Dateien, die nur dem Admin gehören sollen, aber nicht dem
System?

Besitzer auf "Benutzer" setzen

Ist das nicht genau das Problem, das man damit vermeiden wollte?

Im Gegensatz zu Systemdateien, die dem System (und damit der
Gruppe "Administrators") gehören sollen, aber nicht direkt dem Admin?

Das ist Banane.

Für die Quotas offenbar nicht.

Was ist mit mehreren Admins?

auch kein Problem, jeder Admin kann in seinem Verzeichnis tun was ihm
beliebt (und wenn er böse ist überall).

Domain Admin vs. Local Admin

Das einzige wirkliche Problem ist, was denn passiert, wenn eines von
mehreren Adminkonten entfernt wird.

Eben

siehe oben
.

Relevant Pages

  • Re: Rid AD of Circular Group Membership
    ... Unfortunately since the previous Admin used Restricted Groups on the Default ... Administrators group in the domain can manage the domain controllers ... and have use on members if it is used there. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)
  • Re: When is an Admin not an Admin?
    ... > I also can't even add domain-based users and groups ... admin rights on the local machine. ... are local Administrators but the domain Administrators group ... account is an admin. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Domain user secuirty
    ... You never want to put a regular user in the domain admins or administrators group on ... > windows 2000 computers. ... > admin or Administrator group. ...
    (microsoft.public.win2000.security)
  • Re: Trouble with admin access after creating trust.
    ... Because I am part of this domain admin group, ... Administrators group has been provided access to it. ... This posting is provided "AS IS" with no warranties, ... Situation still exists - on the 2000 domain, I log on with an account ...
    (microsoft.public.windows.server.active_directory)
  • Re: PaperSize not available when Run as Admin
    ... have been done a little more discovery. ... If I run "as admin" the first time then I don't seem to have ... printer properties before proceeeding with the print job so my program ... won't just flat out die but I don't really know what to do if it turns ...
    (microsoft.public.windows.vista.print_fax_scan)