On Mon, Sep 8, 2008 at 10:44 AM, <[EMAIL PROTECTED]> wrote: > > "Kurt Buff" <[EMAIL PROTECTED]> wrote on 09/08/2008 01:21:20 PM: > >> On Mon, Sep 8, 2008 at 7:57 AM, <[EMAIL PROTECTED]> wrote: >> > >> > KenM <[EMAIL PROTECTED]> wrote on 09/05/2008 09:32:53 PM: >> > >> >> Also why are you taking ownership, If these folders were created >> >> using the users home drive path in ADUC then the local admins should >> >> have access and your can just run the script as a users who is in >> >> the local admins group. >> > >> > Well, no. The only accounts with access (usually) are the user. Local >> > admins >> > removed from security at upper level (i.e., E:\Users), and no >> > inheritence >> > for sub-folders specified. Otherwise, anyone who is a local admin (such >> > as a >> > Domain Admin) could access any files, and that's a No-No. :-) >> >> Nice script! > > Thanks! > >> However, it's futile to try to deny access to local/domain admins - >> they can get at it anyway, and it just makes administering that much >> harder. > > That's what I think. But then, I only work here. :-) This way, taking > ownership shows up in the log, so there's a record. And if there is no log, > that, too, is a clue. > >> I set up home drives with local administrators full control, >> the individual user with change control, and let it go. Life is much >> simpler that way. > > That's how I had it at my old place, yes.
You don't need to take ownership to get at the files - all you need is backup/restore privileges, or to log on locally and open a command prompt in the system context. Local administrators can do either or both of those. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
