What about SeBackupPrivilege (because that ignores File ACLs - I can just use NTBackup to make a backup of cacls.exe and restore it somewhere)?
Cheers Ken From: James Rankin [mailto:[email protected]] Sent: Friday, 24 April 2009 5:22 PM To: NT System Admin Issues Subject: Re: Restricted groups, where have you been.... good point. SeTakeOwnershipPrivilege is now about to be removed. You probably are right, it would have been easier to configure at the perimeter...but that is managed by my boss and I don't trust him to do it properly and/or not reverse it accidentally or deliberately 2009/4/24 Ken Schaefer <[email protected]<mailto:[email protected]>> Now that it is out there, then it's relatively easy to look them up. But in James' case, I can just bring my own copy of cacls.exe (or have a scheduled job to make a copy of the existing one) and unless SeTakeOwnership Privilege is removed from the Administrators group I can then get permissions back to everything that he's just removed. If the purpose was to block internet access, then I think it would have been easier to just configure this on the outbound proxy or router or firewall or whatever device that's inplace there. Cheers Ken ________________________________ From: Free, Bob [[email protected]<mailto:[email protected]>] Sent: Friday, 24 April 2009 2:18 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... Before Russinovich blogged it you at least had to have a bit of a clue about GPO's to defeat them, now it is trivial...relatively From: Ken Schaefer [mailto:[email protected]<mailto:[email protected]>] Sent: Thursday, April 23, 2009 12:26 AM To: NT System Admin Issues Subject: RE: Restricted groups, where have you been.... If they are administrators, they can defeat GPOs given sufficient knowledge... Cheers Ken ________________________________ From: James Rankin [[email protected]<mailto:[email protected]>] Sent: Thursday, 23 April 2009 5:12 PM To: NT System Admin Issues Subject: Re: Restricted groups, where have you been.... For those who can remember the NT4 days, GPOs as a whole are an awesome admin tool. When I managed an NT4 network with 10,000 users I actually had batch scripts running overnight that reset the user rights on all DCs and members servers, checked the local group memberships and altered them back to a default if they'd changed. Group Policy finally made my life easy. I just recently implemented a group policy that blocks internet access on our few scanning workstations even though the users are admins...a combination of a false proxy and restrictive file permissions on inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the trick. Power is great!!!! 2009/4/22 David Lum <[email protected]<mailto:[email protected]>> ...all my life! We are just getting to use this feature and it's DA BOMB! Being able to add users to local groups w/out affecting the existing memberships is awesome! We are narrowing down how many Domain Admins we have and this feature is *hugely* helpful in delegating to non domain admins. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
