• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

"access denied" but I'm the admin! (win2k3)

Red Squirrel

Red Squirrel

No Lifer
Why is it that in windows if admin does not have access to a folder it denies access. Admin should be able to access anything regardless. At least that's how it works in Linux and it makes sense... root can access everything.

Is there any way around this without screwing with the permisions? I am trying to access data on our data server under a different user's folder. If i change owner ship and do other stuff like that I might break everything so i want to try to avoid that.
 
No, ACLs are enforced regardless of who you are. Don't touch any ownership, you can easily add ACEs to an ACL without affecting the current permissions so I don't see the problem.
 
ACL's are always applied, there are many environments where Admins should not have access to everything. FYI, if you do not have any access to a file as an admin, you cannot add permissions for yourself, without full permission you cannot change the securities on the file (other than taking ownership). You either need to have someone with access add you, or take ownership of the file. You should make absolutely sure that you are allowed to access that data before you take ownership of the file. Also, when you take ownership, it has been my experience that all the ACLs are removed, and afterwords only the user who took ownership has access, so you would remove the user's access to the folder and you don't know what was there before to restore it.

The best answer to this question is to ask for the data from a user who has permission to access it. There are either two possibilities, you are not supposed to have this data and the permissions are there for a reason. Or, you should have access, the permissions are not right and the user with access should be able to grant you access.
 
daishi5 said:
ACL's are always applied, there are many environments where Admins should not have access to everything. FYI, if you do not have any access to a file as an admin, you cannot add permissions for yourself, without full permission you cannot change the securities on the file (other than taking ownership). You either need to have someone with access add you, or take ownership of the file. You should make absolutely sure that you are allowed to access that data before you take ownership of the file. Also, when you take ownership, it has been my experience that all the ACLs are removed, and afterwords only the user who took ownership has access, so you would remove the user's access to the folder and you don't know what was there before to restore it.

The best answer to this question is to ask for the data from a user who has permission to access it. There are either two possibilities, you are not supposed to have this data and the permissions are there for a reason. Or, you should have access, the permissions are not right and the user with access should be able to grant you access.
Click to expand...

Unfortunately that is all well and good, but in many cases "administrator" does need access purely to be able to the job. I used to have users that loved to this until one of them lost 3 years of work because they had removed "admin" + "system" etc and the backup software operating as "SYSTEM" with "admin" as a backup access method wasn't able to back their crap up. Since then I have removed 'full control' from nearly every account that is not admin level at the share level. Basically blocking 99% of the users from the get go. Certain users can gain access after I have a little sit down. It isn't so much that I need to read that info or want to edit, more than I am responsible to make sure it is backed up and maintained. If certain admins are blocked then they should not be running at the "admin" level anyway and using "administrative" accounts more on the level they need access. However the "top dog" should have everything (but rarely used).

I have had lots of systems act strange based on ACL's because a user decide they wanted to "block the admin." Things like DFS-R will not replicate files that it can access for example. Backups won't backup. Many cases antivirus can't scan etc.
 
Last edited:
imagoon said:
Unfortunately that is all well and good, but in many cases "administrator" does need access purely to be able to the job. I used to have users that loved to this until one of them lost 3 years of work because they had removed "admin" + "system" etc and the backup software operating as "SYSTEM" with "admin" as a backup access method wasn't able to back their crap up. Since then I have removed 'full control' from nearly every account that is not admin level at the share level. Basically blocking 99% of the users from the get go. Certain users can gain access after I have a little sit down. It isn't so much that I need to read that info or want to edit, more than I am responsible to make sure it is backed up and maintained. If certain admins are blocked then they should not be running at the "admin" level anyway and using "administrative" accounts more on the level they need access. However the "top dog" should have everything (but rarely used).

I have had lots of systems act strange based on ACL's because a user decide they wanted to "block the admin." Things like DFS-R will not replicate files that it can access for example. Backups won't backup. Many cases antivirus can't scan etc.
Click to expand...

This depends on the company, their policies, and the setup. Our users do not have the ability to remove admin access from files we can access. It seems like you learned to remove this as well. The people before me set that up before we learned that lesson the hard way. I cannot think of a good reason for a user to be able to edit their own file permissions, unless they were a technical person with a good understanding of the infrastructure. Changes to things like permissions should only be made by people who have a good business reason, and know what it means when they make the changes. But, at the same time, it needs to be possible to restrict administrator access. (Even though completely preventing admin access is not possible through ACLs, I think encryption can do it, but no user wants to risk us not being able to restore their data.)

There are two things I can think of that I should not have access to, one is EPHI, which is protected by HIPAA. I know I could access those files, but the ACL prevents casual admin access. The other might be financial data that is protected by SARBOX, I don't know the rules on that I just know the servers need to be locked down tight and I doubt the government regulations just trust the IT team to behave.

I ended up removing this from my original post, but the settings that prevent his access are one of two things, intentional or unintentional. Therefore, he should check with the owner of that information if he should have access. If he just goes ahead and forces his way past the settings that are preventing access, he is assuming that those settings are there incorrectly. If he is wrong it could be a big problem, depending on the type of data accessed.
 
daishi5 said:
This depends on the company, their policies, and the setup. Our users do not have the ability to remove admin access from files we can access. It seems like you learned to remove this as well. The people before me set that up before we learned that lesson the hard way. I cannot think of a good reason for a user to be able to edit their own file permissions, unless they were a technical person with a good understanding of the infrastructure. Changes to things like permissions should only be made by people who have a good business reason, and know what it means when they make the changes. But, at the same time, it needs to be possible to restrict administrator access. (Even though completely preventing admin access is not possible through ACLs, I think encryption can do it, but no user wants to risk us not being able to restore their data.)

There are two things I can think of that I should not have access to, one is EPHI, which is protected by HIPAA. I know I could access those files, but the ACL prevents casual admin access. The other might be financial data that is protected by SARBOX, I don't know the rules on that I just know the servers need to be locked down tight and I doubt the government regulations just trust the IT team to behave.

I ended up removing this from my original post, but the settings that prevent his access are one of two things, intentional or unintentional. Therefore, he should check with the owner of that information if he should have access. If he just goes ahead and forces his way past the settings that are preventing access, he is assuming that those settings are there incorrectly. If he is wrong it could be a big problem, depending on the type of data accessed.
Click to expand...

Good point. That is why I run day to day in a user account, for certain admin functions I run as "imagoonadmin" and try to avoid using "administrator" for most stuff. I was required to become HIPAA "certified" and also am audited by Sarbanes. Much of this stems from me handling the the iSeries and the like also. It generally is a pain for me to do my job with out elevating myself in many cases. On the iseries I need to be *SECOFR to be able to do a RSTLIB or SAVLIB to the financial systems for example. However as a compromise we disabled the admin accounts (that *secofrs use) in Edwards itself and reassigned them to another admin that has limited physical system access. Of course the doesn't represent a ton because *SECOFR can simply add himself but it is much like "taking ownership" and would appear all over the logs and attempts to clear them would cause unexplainable gaps.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top