Umm... In the default install NTFS permissions are set up via GROUP ACE's instead of the individual ACE for the local administrator account. If you look at the NTFS permissions on %systemroot%\system32 you will see permissions only for GROUPS not individual accounts (e.g. "Administrators, Creator Owner, Power Users, System, Users").
Also remember that the ACE is actually a stamp with the SID of the group or user. The GUI and OS actually do the translation of the SID to the friendly display name. For example the well known SID of the local administrator account is S-1-5-<domain/workstation SID>-500. (See http://support.microsoft.com/?kbid=243330) The actual display name of the account is irrelevant except for us humans, the OS will translate that display name or login name to the SID when checking permissions. When you rename the local administrator account nothing happens except for changing the effective display name and the name that us humans use to log in with. The SID still stays the same and all of the permissions are the same. So for your questions... 1. IF you have ACL'd things with the actual Admin account instead of groups, what is displayed to the user in the GUI is the display name of the Admin account. If you have renamed the Admin account then the renamed display name is what is shown (e.g. "Administrator" => "Admin"). 2. What are you asking here?? If as an admin you want to permission the local Admin account to the folder then this is a "bad idea". Use groups instead of individual accounts. If you actually need to do this then what you will pick in the GUI is the renamed admin account (e.g. "Admin"). -Stuart Fuller -----Original Message----- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: Thursday, July 22, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH ------------------------------------------------- Rocky Habeeb Microsoft Systems Administrator ------------------------------------------------- James W. Sewall Company Old Town, Maine ------------------------------------------------- 207.827.4456 habr @ jws.com www.jws.com ------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
