Posted this a couple of days ago, but had no replies. It's still a problem,
and I can't see what we're doing wrong re permissions etc:

I have an administrator account and the rest of the family logs on as basic
users.

My son understandably doesn't want me to have the ability to poke around in
his files , so took ownership of his folders/files and changed access rules
to deny them to administrators. This was fine until he wanted to load some
of the legacy executable files he had loaded into these folders from his
backed up files off our old machine.
As a basic user he could not load these.

The first time he wanted to load software, he took off the "deny" option for
administrators on his folders, and we then switched accounts and I installed
the applications, which I'd previously been unable to see, for him. He then
put the "deny" administrator access back on from his own account. After
logging out, when he tried to log back in again, he was denied access to his
account.

Fortunately, we'd created a restore point, so got things back again quickly.

For the next attempt to load his applications, I temporarily made his
account an
admin account. He allowed access to his folders to administrators/ everyone
and loaded his required applications himself. He then logged out, I logged
in as administrator and reconfigured his account to be a basic user only.
At this stage administrators still had access to his files ( I checked that
I
could see his folders/ run his applications from my admin account). He
then
went back into his (once again basic user only ) account and once more set
the permissions to deny access to administators.

From what I can see, the situation should now have been exactly as it was
prior to loading the applications...ie, he has access to his account but I
can't see his folders when logged in as administrator. However, once
again, having logged out and tried to log back in, he finds that he can't
access his account.

However, if I leave myself logged in as administrator, and just switch
accounts, he can then access his account normally. As soon as I do a full
admin account logout, rather than a simple switch, his user account once
again becomes inaccessible.


Anyone have any ideas what is going wrong here? Am I missing something
obvious?

Rob

Assuming you're using standard MS security tools, there is a couple of
things you need be aware of.

First, as an administrator you have access to all the data on the machine.
Yes, your son can go through the motions of thinking he has you locked out,
but you can easily gain access to the data. In fact you can set and reset
the permissions yourself without him having to do it.

Second thing is that if an individual user is part of multiple groups and
any of those groups have deny set, then deny takes precedent. Review the
groups that he's part of.

What I can't fathom is why access is granted in a multiple login scenario.
I'll have to play with a bit when I have the time.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp


"Rob Naylor" > wrote in message
...
> Posted this a couple of days ago, but had no replies. It's still a
> problem,
> and I can't see what we're doing wrong re permissions etc:
>
> I have an administrator account and the rest of the family logs on as
> basic
> users.
>
> My son understandably doesn't want me to have the ability to poke around
> in
> his files , so took ownership of his folders/files and changed access
> rules
> to deny them to administrators. This was fine until he wanted to load
> some
> of the legacy executable files he had loaded into these folders from his
> backed up files off our old machine.
> As a basic user he could not load these.
>
> The first time he wanted to load software, he took off the "deny" option
> for
> administrators on his folders, and we then switched accounts and I
> installed
> the applications, which I'd previously been unable to see, for him. He
> then
> put the "deny" administrator access back on from his own account. After
> logging out, when he tried to log back in again, he was denied access to
> his
> account.
>
> Fortunately, we'd created a restore point, so got things back again
> quickly.
>
> For the next attempt to load his applications, I temporarily made his
> account an
> admin account. He allowed access to his folders to administrators/
> everyone
> and loaded his required applications himself. He then logged out, I
> logged
> in as administrator and reconfigured his account to be a basic user only.
> At this stage administrators still had access to his files ( I checked
> that
> I
> could see his folders/ run his applications from my admin account). He
> then
> went back into his (once again basic user only ) account and once more set
> the permissions to deny access to administators.
>
> From what I can see, the situation should now have been exactly as it was
> prior to loading the applications...ie, he has access to his account but I
> can't see his folders when logged in as administrator. However, once
> again, having logged out and tried to log back in, he finds that he can't
> access his account.
>
> However, if I leave myself logged in as administrator, and just switch
> accounts, he can then access his account normally. As soon as I do a full
> admin account logout, rather than a simple switch, his user account once
> again becomes inaccessible.
>
>
> Anyone have any ideas what is going wrong here? Am I missing something
> obvious?
>
> Rob
>
>

Assuming you're using standard MS security tools, there is a couple of
things you need be aware of.

First, as an administrator you have access to all the data on the machine.
Yes, your son can go through the motions of thinking he has you locked out,
but you can easily gain access to the data. In fact you can set and reset
the permissions yourself without him having to do it.

Second thing is that if an individual user is part of multiple groups and
any of those groups have deny set, then deny takes precedent. Review the
groups that he's part of.

What I can't fathom is why access is granted in a multiple login scenario.
I'll have to play with a bit when I have the time.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp


"Rob Naylor" > wrote in message
...
> Posted this a couple of days ago, but had no replies. It's still a
> problem,
> and I can't see what we're doing wrong re permissions etc:
>
> I have an administrator account and the rest of the family logs on as
> basic
> users.
>
> My son understandably doesn't want me to have the ability to poke around
> in
> his files , so took ownership of his folders/files and changed access
> rules
> to deny them to administrators. This was fine until he wanted to load
> some
> of the legacy executable files he had loaded into these folders from his
> backed up files off our old machine.
> As a basic user he could not load these.
>
> The first time he wanted to load software, he took off the "deny" option
> for
> administrators on his folders, and we then switched accounts and I
> installed
> the applications, which I'd previously been unable to see, for him. He
> then
> put the "deny" administrator access back on from his own account. After
> logging out, when he tried to log back in again, he was denied access to
> his
> account.
>
> Fortunately, we'd created a restore point, so got things back again
> quickly.
>
> For the next attempt to load his applications, I temporarily made his
> account an
> admin account. He allowed access to his folders to administrators/
> everyone
> and loaded his required applications himself. He then logged out, I
> logged
> in as administrator and reconfigured his account to be a basic user only.
> At this stage administrators still had access to his files ( I checked
> that
> I
> could see his folders/ run his applications from my admin account). He
> then
> went back into his (once again basic user only ) account and once more set
> the permissions to deny access to administators.
>
> From what I can see, the situation should now have been exactly as it was
> prior to loading the applications...ie, he has access to his account but I
> can't see his folders when logged in as administrator. However, once
> again, having logged out and tried to log back in, he finds that he can't
> access his account.
>
> However, if I leave myself logged in as administrator, and just switch
> accounts, he can then access his account normally. As soon as I do a full
> admin account logout, rather than a simple switch, his user account once
> again becomes inaccessible.
>
>
> Anyone have any ideas what is going wrong here? Am I missing something
> obvious?
>
> Rob
>
>

Walter,

Thanks for th input.

I know that, if he takes ownership and locks me out of his folders, that I
can reset the permissions myself ( or I assumed I could, since I can in NT)
but I didn't think I could do it without him being aware of it (unless I'm
wrong on that point) if he's got ownership of his folders. That was the
main point...that he'd know if I *did* look.

He's only a member of the basic user group. No other groups, apart from the
brief time he had administrator privileges, but the access level was reset
since then. The way his account is currently set up, he's supposedly not
denied access to his folders, according to the security settings, though
administrators are.

The reality is that unless I have the admin account logged on, though
inactive, he can't even log into his own account, never mind access his
folders. As soon as I log into my admin a/c and then hit "switch users", he
can log in and see his folders.

Very puzzling. I don't really want to have an admin account "open" on the
system all the time, even though it required a password to activate it.
It's messy and it *can't* be the way the system's meant to operate.

Rob


"Walter Clayton" > wrote in message
...
> Assuming you're using standard MS security tools, there is a couple of
> things you need be aware of.
>
> First, as an administrator you have access to all the data on the machine.
> Yes, your son can go through the motions of thinking he has you locked
out,
> but you can easily gain access to the data. In fact you can set and reset
> the permissions yourself without him having to do it.
>
> Second thing is that if an individual user is part of multiple groups and
> any of those groups have deny set, then deny takes precedent. Review the
> groups that he's part of.
>
> What I can't fathom is why access is granted in a multiple login scenario.
> I'll have to play with a bit when I have the time.
>
> --
> Walter Clayton - MS MVP(WinXP)
> Associate Expert
> http://www.microsoft.com/windowsxp/expertzone
> Any technology distinguishable from magic is insufficiently advanced.
> http://www.dts-l.org
> http://support.microsoft.com/servicedesks/fileversion/default.asp
>
>
> "Rob Naylor" > wrote in message
> ...
> > Posted this a couple of days ago, but had no replies. It's still a
> > problem,
> > and I can't see what we're doing wrong re permissions etc:
> >
> > I have an administrator account and the rest of the family logs on as
> > basic
> > users.
> >
> > My son understandably doesn't want me to have the ability to poke around
> > in
> > his files , so took ownership of his folders/files and changed access
> > rules
> > to deny them to administrators. This was fine until he wanted to load
> > some
> > of the legacy executable files he had loaded into these folders from his
> > backed up files off our old machine.
> > As a basic user he could not load these.
> >
> > The first time he wanted to load software, he took off the "deny" option
> > for
> > administrators on his folders, and we then switched accounts and I
> > installed
> > the applications, which I'd previously been unable to see, for him. He
> > then
> > put the "deny" administrator access back on from his own account. After
> > logging out, when he tried to log back in again, he was denied access to
> > his
> > account.
> >
> > Fortunately, we'd created a restore point, so got things back again
> > quickly.
> >
> > For the next attempt to load his applications, I temporarily made his
> > account an
> > admin account. He allowed access to his folders to administrators/
> > everyone
> > and loaded his required applications himself. He then logged out, I
> > logged
> > in as administrator and reconfigured his account to be a basic user
only.
> > At this stage administrators still had access to his files ( I checked
> > that
> > I
> > could see his folders/ run his applications from my admin account). He
> > then
> > went back into his (once again basic user only ) account and once more
set
> > the permissions to deny access to administators.
> >
> > From what I can see, the situation should now have been exactly as it
was
> > prior to loading the applications...ie, he has access to his account but
I
> > can't see his folders when logged in as administrator. However, once
> > again, having logged out and tried to log back in, he finds that he
can't
> > access his account.
> >
> > However, if I leave myself logged in as administrator, and just switch
> > accounts, he can then access his account normally. As soon as I do a
full
> > admin account logout, rather than a simple switch, his user account once
> > again becomes inaccessible.
> >
> >
> > Anyone have any ideas what is going wrong here? Am I missing something
> > obvious?
> >
> > Rob
> >
> >
>

Walter,

Thanks for th input.

I know that, if he takes ownership and locks me out of his folders, that I
can reset the permissions myself ( or I assumed I could, since I can in NT)
but I didn't think I could do it without him being aware of it (unless I'm
wrong on that point) if he's got ownership of his folders. That was the
main point...that he'd know if I *did* look.

He's only a member of the basic user group. No other groups, apart from the
brief time he had administrator privileges, but the access level was reset
since then. The way his account is currently set up, he's supposedly not
denied access to his folders, according to the security settings, though
administrators are.

The reality is that unless I have the admin account logged on, though
inactive, he can't even log into his own account, never mind access his
folders. As soon as I log into my admin a/c and then hit "switch users", he
can log in and see his folders.

Very puzzling. I don't really want to have an admin account "open" on the
system all the time, even though it required a password to activate it.
It's messy and it *can't* be the way the system's meant to operate.

Rob


"Walter Clayton" > wrote in message
...
> Assuming you're using standard MS security tools, there is a couple of
> things you need be aware of.
>
> First, as an administrator you have access to all the data on the machine.
> Yes, your son can go through the motions of thinking he has you locked
out,
> but you can easily gain access to the data. In fact you can set and reset
> the permissions yourself without him having to do it.
>
> Second thing is that if an individual user is part of multiple groups and
> any of those groups have deny set, then deny takes precedent. Review the
> groups that he's part of.
>
> What I can't fathom is why access is granted in a multiple login scenario.
> I'll have to play with a bit when I have the time.
>
> --
> Walter Clayton - MS MVP(WinXP)
> Associate Expert
> http://www.microsoft.com/windowsxp/expertzone
> Any technology distinguishable from magic is insufficiently advanced.
> http://www.dts-l.org
> http://support.microsoft.com/servicedesks/fileversion/default.asp
>
>
> "Rob Naylor" > wrote in message
> ...
> > Posted this a couple of days ago, but had no replies. It's still a
> > problem,
> > and I can't see what we're doing wrong re permissions etc:
> >
> > I have an administrator account and the rest of the family logs on as
> > basic
> > users.
> >
> > My son understandably doesn't want me to have the ability to poke around
> > in
> > his files , so took ownership of his folders/files and changed access
> > rules
> > to deny them to administrators. This was fine until he wanted to load
> > some
> > of the legacy executable files he had loaded into these folders from his
> > backed up files off our old machine.
> > As a basic user he could not load these.
> >
> > The first time he wanted to load software, he took off the "deny" option
> > for
> > administrators on his folders, and we then switched accounts and I
> > installed
> > the applications, which I'd previously been unable to see, for him. He
> > then
> > put the "deny" administrator access back on from his own account. After
> > logging out, when he tried to log back in again, he was denied access to
> > his
> > account.
> >
> > Fortunately, we'd created a restore point, so got things back again
> > quickly.
> >
> > For the next attempt to load his applications, I temporarily made his
> > account an
> > admin account. He allowed access to his folders to administrators/
> > everyone
> > and loaded his required applications himself. He then logged out, I
> > logged
> > in as administrator and reconfigured his account to be a basic user
only.
> > At this stage administrators still had access to his files ( I checked
> > that
> > I
> > could see his folders/ run his applications from my admin account). He
> > then
> > went back into his (once again basic user only ) account and once more
set
> > the permissions to deny access to administators.
> >
> > From what I can see, the situation should now have been exactly as it
was
> > prior to loading the applications...ie, he has access to his account but
I
> > can't see his folders when logged in as administrator. However, once
> > again, having logged out and tried to log back in, he finds that he
can't
> > access his account.
> >
> > However, if I leave myself logged in as administrator, and just switch
> > accounts, he can then access his account normally. As soon as I do a
full
> > admin account logout, rather than a simple switch, his user account once
> > again becomes inaccessible.
> >
> >
> > Anyone have any ideas what is going wrong here? Am I missing something
> > obvious?
> >
> > Rob
> >
> >
>

Unless he's looking at the event log as long as you reset the permissions,
he can't know. ;-)

OK. I just started a 12 hour download on my Pro machine (I just love being
bandwidth challenged), which is what I'll need to see if I can simulate
what's going on. If you're used to the NT security paradigm, then there's
not much difference with XP. Some of the tools may be different and how you
get there may be different, but other wise the concept is the same.

Do things work otherwise correctly if the admin denial is removed?

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp


"Rob Naylor" > wrote in message
...
> Walter,
>
> Thanks for th input.
>
> I know that, if he takes ownership and locks me out of his folders, that I
> can reset the permissions myself ( or I assumed I could, since I can in
> NT)
> but I didn't think I could do it without him being aware of it (unless I'm
> wrong on that point) if he's got ownership of his folders. That was the
> main point...that he'd know if I *did* look.
>
> He's only a member of the basic user group. No other groups, apart from
> the
> brief time he had administrator privileges, but the access level was reset
> since then. The way his account is currently set up, he's supposedly not
> denied access to his folders, according to the security settings, though
> administrators are.
>
> The reality is that unless I have the admin account logged on, though
> inactive, he can't even log into his own account, never mind access his
> folders. As soon as I log into my admin a/c and then hit "switch users",
> he
> can log in and see his folders.
>
> Very puzzling. I don't really want to have an admin account "open" on the
> system all the time, even though it required a password to activate it.
> It's messy and it *can't* be the way the system's meant to operate.
>
> Rob
>
>
> "Walter Clayton" > wrote in message
> ...
> > Assuming you're using standard MS security tools, there is a couple of
> > things you need be aware of.
> >
> > First, as an administrator you have access to all the data on the
> > machine.
> > Yes, your son can go through the motions of thinking he has you locked
> out,
> > but you can easily gain access to the data. In fact you can set and
> > reset
> > the permissions yourself without him having to do it.
> >
> > Second thing is that if an individual user is part of multiple groups
> > and
> > any of those groups have deny set, then deny takes precedent. Review the
> > groups that he's part of.
> >
> > What I can't fathom is why access is granted in a multiple login
> > scenario.
> > I'll have to play with a bit when I have the time.
> >
> > --
> > Walter Clayton - MS MVP(WinXP)
> > Associate Expert
> > http://www.microsoft.com/windowsxp/expertzone
> > Any technology distinguishable from magic is insufficiently advanced.
> > http://www.dts-l.org
> > http://support.microsoft.com/servicedesks/fileversion/default.asp
> >
> >
> > "Rob Naylor" > wrote in message
> > ...
> > > Posted this a couple of days ago, but had no replies. It's still a
> > > problem,
> > > and I can't see what we're doing wrong re permissions etc:
> > >
> > > I have an administrator account and the rest of the family logs on as
> > > basic
> > > users.
> > >
> > > My son understandably doesn't want me to have the ability to poke
> > > around
> > > in
> > > his files , so took ownership of his folders/files and changed access
> > > rules
> > > to deny them to administrators. This was fine until he wanted to load
> > > some
> > > of the legacy executable files he had loaded into these folders from
> > > his
> > > backed up files off our old machine.
> > > As a basic user he could not load these.
> > >
> > > The first time he wanted to load software, he took off the "deny"
> > > option
> > > for
> > > administrators on his folders, and we then switched accounts and I
> > > installed
> > > the applications, which I'd previously been unable to see, for him.
> > > He
> > > then
> > > put the "deny" administrator access back on from his own account.
> > > After
> > > logging out, when he tried to log back in again, he was denied access
> > > to
> > > his
> > > account.
> > >
> > > Fortunately, we'd created a restore point, so got things back again
> > > quickly.
> > >
> > > For the next attempt to load his applications, I temporarily made his
> > > account an
> > > admin account. He allowed access to his folders to administrators/
> > > everyone
> > > and loaded his required applications himself. He then logged out, I
> > > logged
> > > in as administrator and reconfigured his account to be a basic user
> only.
> > > At this stage administrators still had access to his files ( I checked
> > > that
> > > I
> > > could see his folders/ run his applications from my admin account).
> > > He
> > > then
> > > went back into his (once again basic user only ) account and once more
> set
> > > the permissions to deny access to administators.
> > >
> > > From what I can see, the situation should now have been exactly as it
> was
> > > prior to loading the applications...ie, he has access to his account
> > > but
> I
> > > can't see his folders when logged in as administrator. However, once
> > > again, having logged out and tried to log back in, he finds that he
> can't
> > > access his account.
> > >
> > > However, if I leave myself logged in as administrator, and just switch
> > > accounts, he can then access his account normally. As soon as I do a
> full
> > > admin account logout, rather than a simple switch, his user account
> > > once
> > > again becomes inaccessible.
> > >
> > >
> > > Anyone have any ideas what is going wrong here? Am I missing
> > > something
> > > obvious?
> > >
> > > Rob
> > >
> > >
> >
>
>

Unless he's looking at the event log as long as you reset the permissions,
he can't know. ;-)

OK. I just started a 12 hour download on my Pro machine (I just love being
bandwidth challenged), which is what I'll need to see if I can simulate
what's going on. If you're used to the NT security paradigm, then there's
not much difference with XP. Some of the tools may be different and how you
get there may be different, but other wise the concept is the same.

Do things work otherwise correctly if the admin denial is removed?

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp


"Rob Naylor" > wrote in message
...
> Walter,
>
> Thanks for th input.
>
> I know that, if he takes ownership and locks me out of his folders, that I
> can reset the permissions myself ( or I assumed I could, since I can in
> NT)
> but I didn't think I could do it without him being aware of it (unless I'm
> wrong on that point) if he's got ownership of his folders. That was the
> main point...that he'd know if I *did* look.
>
> He's only a member of the basic user group. No other groups, apart from
> the
> brief time he had administrator privileges, but the access level was reset
> since then. The way his account is currently set up, he's supposedly not
> denied access to his folders, according to the security settings, though
> administrators are.
>
> The reality is that unless I have the admin account logged on, though
> inactive, he can't even log into his own account, never mind access his
> folders. As soon as I log into my admin a/c and then hit "switch users",
> he
> can log in and see his folders.
>
> Very puzzling. I don't really want to have an admin account "open" on the
> system all the time, even though it required a password to activate it.
> It's messy and it *can't* be the way the system's meant to operate.
>
> Rob
>
>
> "Walter Clayton" > wrote in message
> ...
> > Assuming you're using standard MS security tools, there is a couple of
> > things you need be aware of.
> >
> > First, as an administrator you have access to all the data on the
> > machine.
> > Yes, your son can go through the motions of thinking he has you locked
> out,
> > but you can easily gain access to the data. In fact you can set and
> > reset
> > the permissions yourself without him having to do it.
> >
> > Second thing is that if an individual user is part of multiple groups
> > and
> > any of those groups have deny set, then deny takes precedent. Review the
> > groups that he's part of.
> >
> > What I can't fathom is why access is granted in a multiple login
> > scenario.
> > I'll have to play with a bit when I have the time.
> >
> > --
> > Walter Clayton - MS MVP(WinXP)
> > Associate Expert
> > http://www.microsoft.com/windowsxp/expertzone
> > Any technology distinguishable from magic is insufficiently advanced.
> > http://www.dts-l.org
> > http://support.microsoft.com/servicedesks/fileversion/default.asp
> >
> >
> > "Rob Naylor" > wrote in message
> > ...
> > > Posted this a couple of days ago, but had no replies. It's still a
> > > problem,
> > > and I can't see what we're doing wrong re permissions etc:
> > >
> > > I have an administrator account and the rest of the family logs on as
> > > basic
> > > users.
> > >
> > > My son understandably doesn't want me to have the ability to poke
> > > around
> > > in
> > > his files , so took ownership of his folders/files and changed access
> > > rules
> > > to deny them to administrators. This was fine until he wanted to load
> > > some
> > > of the legacy executable files he had loaded into these folders from
> > > his
> > > backed up files off our old machine.
> > > As a basic user he could not load these.
> > >
> > > The first time he wanted to load software, he took off the "deny"
> > > option
> > > for
> > > administrators on his folders, and we then switched accounts and I
> > > installed
> > > the applications, which I'd previously been unable to see, for him.
> > > He
> > > then
> > > put the "deny" administrator access back on from his own account.
> > > After
> > > logging out, when he tried to log back in again, he was denied access
> > > to
> > > his
> > > account.
> > >
> > > Fortunately, we'd created a restore point, so got things back again
> > > quickly.
> > >
> > > For the next attempt to load his applications, I temporarily made his
> > > account an
> > > admin account. He allowed access to his folders to administrators/
> > > everyone
> > > and loaded his required applications himself. He then logged out, I
> > > logged
> > > in as administrator and reconfigured his account to be a basic user
> only.
> > > At this stage administrators still had access to his files ( I checked
> > > that
> > > I
> > > could see his folders/ run his applications from my admin account).
> > > He
> > > then
> > > went back into his (once again basic user only ) account and once more
> set
> > > the permissions to deny access to administators.
> > >
> > > From what I can see, the situation should now have been exactly as it
> was
> > > prior to loading the applications...ie, he has access to his account
> > > but
> I
> > > can't see his folders when logged in as administrator. However, once
> > > again, having logged out and tried to log back in, he finds that he
> can't
> > > access his account.
> > >
> > > However, if I leave myself logged in as administrator, and just switch
> > > accounts, he can then access his account normally. As soon as I do a
> full
> > > admin account logout, rather than a simple switch, his user account
> > > once
> > > again becomes inaccessible.
> > >
> > >
> > > Anyone have any ideas what is going wrong here? Am I missing
> > > something
> > > obvious?
> > >
> > > Rob
> > >
> > >
> >
>
>

Walter,

Yes, if the admin denial is taken off, everything's fine.

Rob

"Walter Clayton" > wrote in message
...
> Unless he's looking at the event log as long as you reset the permissions,
> he can't know. ;-)
>
> OK. I just started a 12 hour download on my Pro machine (I just love being
> bandwidth challenged), which is what I'll need to see if I can simulate
> what's going on. If you're used to the NT security paradigm, then there's
> not much difference with XP. Some of the tools may be different and how
you
> get there may be different, but other wise the concept is the same.
>
> Do things work otherwise correctly if the admin denial is removed?
>
> --
> Walter Clayton - MS MVP(WinXP)
> Associate Expert
> http://www.microsoft.com/windowsxp/expertzone
> Any technology distinguishable from magic is insufficiently advanced.
> http://www.dts-l.org
> http://support.microsoft.com/servicedesks/fileversion/default.asp
>
>
> "Rob Naylor" > wrote in message
> ...
> > Walter,
> >
> > Thanks for th input.
> >
> > I know that, if he takes ownership and locks me out of his folders, that
I
> > can reset the permissions myself ( or I assumed I could, since I can in
> > NT)
> > but I didn't think I could do it without him being aware of it (unless
I'm
> > wrong on that point) if he's got ownership of his folders. That was the
> > main point...that he'd know if I *did* look.
> >
> > He's only a member of the basic user group. No other groups, apart from
> > the
> > brief time he had administrator privileges, but the access level was
reset
> > since then. The way his account is currently set up, he's supposedly
not
> > denied access to his folders, according to the security settings, though
> > administrators are.
> >
> > The reality is that unless I have the admin account logged on, though
> > inactive, he can't even log into his own account, never mind access his
> > folders. As soon as I log into my admin a/c and then hit "switch
users",
> > he
> > can log in and see his folders.
> >
> > Very puzzling. I don't really want to have an admin account "open" on
the
> > system all the time, even though it required a password to activate it.
> > It's messy and it *can't* be the way the system's meant to operate.
> >
> > Rob
> >
> >
> > "Walter Clayton" > wrote in message
> > ...
> > > Assuming you're using standard MS security tools, there is a couple of
> > > things you need be aware of.
> > >
> > > First, as an administrator you have access to all the data on the
> > > machine.
> > > Yes, your son can go through the motions of thinking he has you locked
> > out,
> > > but you can easily gain access to the data. In fact you can set and
> > > reset
> > > the permissions yourself without him having to do it.
> > >
> > > Second thing is that if an individual user is part of multiple groups
> > > and
> > > any of those groups have deny set, then deny takes precedent. Review
the
> > > groups that he's part of.
> > >
> > > What I can't fathom is why access is granted in a multiple login
> > > scenario.
> > > I'll have to play with a bit when I have the time.
> > >
> > > --
> > > Walter Clayton - MS MVP(WinXP)
> > > Associate Expert
> > > http://www.microsoft.com/windowsxp/expertzone
> > > Any technology distinguishable from magic is insufficiently advanced.
> > > http://www.dts-l.org
> > > http://support.microsoft.com/servicedesks/fileversion/default.asp
> > >
> > >
> > > "Rob Naylor" > wrote in message
> > > ...
> > > > Posted this a couple of days ago, but had no replies. It's still a
> > > > problem,
> > > > and I can't see what we're doing wrong re permissions etc:
> > > >
> > > > I have an administrator account and the rest of the family logs on
as
> > > > basic
> > > > users.
> > > >
> > > > My son understandably doesn't want me to have the ability to poke
> > > > around
> > > > in
> > > > his files , so took ownership of his folders/files and changed
access
> > > > rules
> > > > to deny them to administrators. This was fine until he wanted to
load
> > > > some
> > > > of the legacy executable files he had loaded into these folders from
> > > > his
> > > > backed up files off our old machine.
> > > > As a basic user he could not load these.
> > > >
> > > > The first time he wanted to load software, he took off the "deny"
> > > > option
> > > > for
> > > > administrators on his folders, and we then switched accounts and I
> > > > installed
> > > > the applications, which I'd previously been unable to see, for him.
> > > > He
> > > > then
> > > > put the "deny" administrator access back on from his own account.
> > > > After
> > > > logging out, when he tried to log back in again, he was denied
access
> > > > to
> > > > his
> > > > account.
> > > >
> > > > Fortunately, we'd created a restore point, so got things back again
> > > > quickly.
> > > >
> > > > For the next attempt to load his applications, I temporarily made
his
> > > > account an
> > > > admin account. He allowed access to his folders to administrators/
> > > > everyone
> > > > and loaded his required applications himself. He then logged out, I
> > > > logged
> > > > in as administrator and reconfigured his account to be a basic user
> > only.
> > > > At this stage administrators still had access to his files ( I
checked
> > > > that
> > > > I
> > > > could see his folders/ run his applications from my admin account).
> > > > He
> > > > then
> > > > went back into his (once again basic user only ) account and once
more
> > set
> > > > the permissions to deny access to administators.
> > > >
> > > > From what I can see, the situation should now have been exactly as
it
> > was
> > > > prior to loading the applications...ie, he has access to his account

> > > > but
> > I
> > > > can't see his folders when logged in as administrator. However,
once
> > > > again, having logged out and tried to log back in, he finds that he
> > can't
> > > > access his account.
> > > >
> > > > However, if I leave myself logged in as administrator, and just
switch
> > > > accounts, he can then access his account normally. As soon as I do
a
> > full
> > > > admin account logout, rather than a simple switch, his user account
> > > > once
> > > > again becomes inaccessible.
> > > >
> > > >
> > > > Anyone have any ideas what is going wrong here? Am I missing
> > > > something
> > > > obvious?
> > > >
> > > > Rob
> > > >
> > > >
> > >
> >
> >
>

Walter,

Yes, if the admin denial is taken off, everything's fine.

Rob

"Walter Clayton" > wrote in message
...
> Unless he's looking at the event log as long as you reset the permissions,
> he can't know. ;-)
>
> OK. I just started a 12 hour download on my Pro machine (I just love being
> bandwidth challenged), which is what I'll need to see if I can simulate
> what's going on. If you're used to the NT security paradigm, then there's
> not much difference with XP. Some of the tools may be different and how
you
> get there may be different, but other wise the concept is the same.
>
> Do things work otherwise correctly if the admin denial is removed?
>
> --
> Walter Clayton - MS MVP(WinXP)
> Associate Expert
> http://www.microsoft.com/windowsxp/expertzone
> Any technology distinguishable from magic is insufficiently advanced.
> http://www.dts-l.org
> http://support.microsoft.com/servicedesks/fileversion/default.asp
>
>
> "Rob Naylor" > wrote in message
> ...
> > Walter,
> >
> > Thanks for th input.
> >
> > I know that, if he takes ownership and locks me out of his folders, that
I
> > can reset the permissions myself ( or I assumed I could, since I can in
> > NT)
> > but I didn't think I could do it without him being aware of it (unless
I'm
> > wrong on that point) if he's got ownership of his folders. That was the
> > main point...that he'd know if I *did* look.
> >
> > He's only a member of the basic user group. No other groups, apart from
> > the
> > brief time he had administrator privileges, but the access level was
reset
> > since then. The way his account is currently set up, he's supposedly
not
> > denied access to his folders, according to the security settings, though
> > administrators are.
> >
> > The reality is that unless I have the admin account logged on, though
> > inactive, he can't even log into his own account, never mind access his
> > folders. As soon as I log into my admin a/c and then hit "switch
users",
> > he
> > can log in and see his folders.
> >
> > Very puzzling. I don't really want to have an admin account "open" on
the
> > system all the time, even though it required a password to activate it.
> > It's messy and it *can't* be the way the system's meant to operate.
> >
> > Rob
> >
> >
> > "Walter Clayton" > wrote in message
> > ...
> > > Assuming you're using standard MS security tools, there is a couple of
> > > things you need be aware of.
> > >
> > > First, as an administrator you have access to all the data on the
> > > machine.
> > > Yes, your son can go through the motions of thinking he has you locked
> > out,
> > > but you can easily gain access to the data. In fact you can set and
> > > reset
> > > the permissions yourself without him having to do it.
> > >
> > > Second thing is that if an individual user is part of multiple groups
> > > and
> > > any of those groups have deny set, then deny takes precedent. Review
the
> > > groups that he's part of.
> > >
> > > What I can't fathom is why access is granted in a multiple login
> > > scenario.
> > > I'll have to play with a bit when I have the time.
> > >
> > > --
> > > Walter Clayton - MS MVP(WinXP)
> > > Associate Expert
> > > http://www.microsoft.com/windowsxp/expertzone
> > > Any technology distinguishable from magic is insufficiently advanced.
> > > http://www.dts-l.org
> > > http://support.microsoft.com/servicedesks/fileversion/default.asp
> > >
> > >
> > > "Rob Naylor" > wrote in message
> > > ...
> > > > Posted this a couple of days ago, but had no replies. It's still a
> > > > problem,
> > > > and I can't see what we're doing wrong re permissions etc:
> > > >
> > > > I have an administrator account and the rest of the family logs on
as
> > > > basic
> > > > users.
> > > >
> > > > My son understandably doesn't want me to have the ability to poke
> > > > around
> > > > in
> > > > his files , so took ownership of his folders/files and changed
access
> > > > rules
> > > > to deny them to administrators. This was fine until he wanted to
load
> > > > some
> > > > of the legacy executable files he had loaded into these folders from
> > > > his
> > > > backed up files off our old machine.
> > > > As a basic user he could not load these.
> > > >
> > > > The first time he wanted to load software, he took off the "deny"
> > > > option
> > > > for
> > > > administrators on his folders, and we then switched accounts and I
> > > > installed
> > > > the applications, which I'd previously been unable to see, for him.
> > > > He
> > > > then
> > > > put the "deny" administrator access back on from his own account.
> > > > After
> > > > logging out, when he tried to log back in again, he was denied
access
> > > > to
> > > > his
> > > > account.
> > > >
> > > > Fortunately, we'd created a restore point, so got things back again
> > > > quickly.
> > > >
> > > > For the next attempt to load his applications, I temporarily made
his
> > > > account an
> > > > admin account. He allowed access to his folders to administrators/
> > > > everyone
> > > > and loaded his required applications himself. He then logged out, I
> > > > logged
> > > > in as administrator and reconfigured his account to be a basic user
> > only.
> > > > At this stage administrators still had access to his files ( I
checked
> > > > that
> > > > I
> > > > could see his folders/ run his applications from my admin account).
> > > > He
> > > > then
> > > > went back into his (once again basic user only ) account and once
more
> > set
> > > > the permissions to deny access to administators.
> > > >
> > > > From what I can see, the situation should now have been exactly as
it
> > was
> > > > prior to loading the applications...ie, he has access to his account

> > > > but
> > I
> > > > can't see his folders when logged in as administrator. However,
once
> > > > again, having logged out and tried to log back in, he finds that he
> > can't
> > > > access his account.
> > > >
> > > > However, if I leave myself logged in as administrator, and just
switch
> > > > accounts, he can then access his account normally. As soon as I do
a
> > full
> > > > admin account logout, rather than a simple switch, his user account
> > > > once
> > > > again becomes inaccessible.
> > > >
> > > >
> > > > Anyone have any ideas what is going wrong here? Am I missing
> > > > something
> > > > obvious?
> > > >
> > > > Rob
> > > >
> > > >
> > >
> >
> >
>

OK. I managed to reproduce. I have a solution, but no specific answers.

The problem is when admin is denied at the "Documents and settings\[user]"
level. Something within that hierarchy doesn't care for admin to be denied
and I didn't bother with checking which specific directory. Leaving
"Documents and Settings\[user]\My Documents" as admin denied is fine
however. Could be some of the other structures will be have as well, but
I've not pursued it. What I don't understand as well, is why having an admin
log on first then concurrently logging in the restricted user works. That's
just a wee bit confusing.

The difficult thing about chasing this down is the fact that a reboot is
required to validate things. I suspect there's some thing a bit strange
going on security wise with fast user switching, but I can't put a finger on
it.

Regardless the solution is to grant full admin rights to the "Documents and
Settings\[user]" hierarchy and to then apply that to all child objects via
the advanced button on the security tab. This basically puts you back to
square one, but you should then be able to deny admin on sub directories.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp


"Rob Naylor" > wrote in message
...
> Walter,
>
> Yes, if the admin denial is taken off, everything's fine.
>
> Rob
>
> "Walter Clayton" > wrote in message
> ...
> > Unless he's looking at the event log as long as you reset the
> > permissions,
> > he can't know. ;-)
> >
> > OK. I just started a 12 hour download on my Pro machine (I just love
> > being
> > bandwidth challenged), which is what I'll need to see if I can simulate
> > what's going on. If you're used to the NT security paradigm, then
> > there's
> > not much difference with XP. Some of the tools may be different and how
> you
> > get there may be different, but other wise the concept is the same.
> >
> > Do things work otherwise correctly if the admin denial is removed?
> >
> > --
> > Walter Clayton - MS MVP(WinXP)
> > Associate Expert
> > http://www.microsoft.com/windowsxp/expertzone
> > Any technology distinguishable from magic is insufficiently advanced.
> > http://www.dts-l.org
> > http://support.microsoft.com/servicedesks/fileversion/default.asp
> >
> >
> > "Rob Naylor" > wrote in message
> > ...
> > > Walter,
> > >
> > > Thanks for th input.
> > >
> > > I know that, if he takes ownership and locks me out of his folders,
> > > that
> I
> > > can reset the permissions myself ( or I assumed I could, since I can
> > > in
> > > NT)
> > > but I didn't think I could do it without him being aware of it (unless
> I'm
> > > wrong on that point) if he's got ownership of his folders. That was
> > > the
> > > main point...that he'd know if I *did* look.
> > >
> > > He's only a member of the basic user group. No other groups, apart
> > > from
> > > the
> > > brief time he had administrator privileges, but the access level was
> reset
> > > since then. The way his account is currently set up, he's supposedly
> not
> > > denied access to his folders, according to the security settings,
> > > though
> > > administrators are.
> > >
> > > The reality is that unless I have the admin account logged on, though
> > > inactive, he can't even log into his own account, never mind access
> > > his
> > > folders. As soon as I log into my admin a/c and then hit "switch
> users",
> > > he
> > > can log in and see his folders.
> > >
> > > Very puzzling. I don't really want to have an admin account "open" on
> the
> > > system all the time, even though it required a password to activate
> > > it.
> > > It's messy and it *can't* be the way the system's meant to operate.
> > >
> > > Rob
> > >
> > >
> > > "Walter Clayton" > wrote in message
> > > ...
> > > > Assuming you're using standard MS security tools, there is a couple
> > > > of
> > > > things you need be aware of.
> > > >
> > > > First, as an administrator you have access to all the data on the
> > > > machine.
> > > > Yes, your son can go through the motions of thinking he has you
> > > > locked
> > > out,
> > > > but you can easily gain access to the data. In fact you can set and
> > > > reset
> > > > the permissions yourself without him having to do it.
> > > >
> > > > Second thing is that if an individual user is part of multiple
> > > > groups
> > > > and
> > > > any of those groups have deny set, then deny takes precedent. Review
> the
> > > > groups that he's part of.
> > > >
> > > > What I can't fathom is why access is granted in a multiple login
> > > > scenario.
> > > > I'll have to play with a bit when I have the time.
> > > >
> > > > --
> > > > Walter Clayton - MS MVP(WinXP)
> > > > Associate Expert
> > > > http://www.microsoft.com/windowsxp/expertzone
> > > > Any technology distinguishable from magic is insufficiently
> > > > advanced.
> > > > http://www.dts-l.org
> > > > http://support.microsoft.com/servicedesks/fileversion/default.asp
> > > >
> > > >
> > > > "Rob Naylor" > wrote in message
> > > > ...
> > > > > Posted this a couple of days ago, but had no replies. It's still
> > > > > a
> > > > > problem,
> > > > > and I can't see what we're doing wrong re permissions etc:
> > > > >
> > > > > I have an administrator account and the rest of the family logs on
> as
> > > > > basic
> > > > > users.
> > > > >
> > > > > My son understandably doesn't want me to have the ability to poke
> > > > > around
> > > > > in
> > > > > his files , so took ownership of his folders/files and changed
> access
> > > > > rules
> > > > > to deny them to administrators. This was fine until he wanted to
> load
> > > > > some
> > > > > of the legacy executable files he had loaded into these folders
> > > > > from
> > > > > his
> > > > > backed up files off our old machine.
> > > > > As a basic user he could not load these.
> > > > >
> > > > > The first time he wanted to load software, he took off the "deny"
> > > > > option
> > > > > for
> > > > > administrators on his folders, and we then switched accounts and I
> > > > > installed
> > > > > the applications, which I'd previously been unable to see, for
> > > > > him.
> > > > > He
> > > > > then
> > > > > put the "deny" administrator access back on from his own account.
> > > > > After
> > > > > logging out, when he tried to log back in again, he was denied
> access
> > > > > to
> > > > > his
> > > > > account.
> > > > >
> > > > > Fortunately, we'd created a restore point, so got things back
> > > > > again
> > > > > quickly.
> > > > >
> > > > > For the next attempt to load his applications, I temporarily made
> his
> > > > > account an
> > > > > admin account. He allowed access to his folders to administrators/
> > > > > everyone
> > > > > and loaded his required applications himself. He then logged out,
> > > > > I
> > > > > logged
> > > > > in as administrator and reconfigured his account to be a basic
> > > > > user
> > > only.
> > > > > At this stage administrators still had access to his files ( I
> checked
> > > > > that
> > > > > I
> > > > > could see his folders/ run his applications from my admin
> > > > > account).
> > > > > He
> > > > > then
> > > > > went back into his (once again basic user only ) account and once
> more
> > > set
> > > > > the permissions to deny access to administators.
> > > > >
> > > > > From what I can see, the situation should now have been exactly as
> it
> > > was
> > > > > prior to loading the applications...ie, he has access to his
> > > > > account
>
> > > > > but
> > > I
> > > > > can't see his folders when logged in as administrator. However,
> once
> > > > > again, having logged out and tried to log back in, he finds that
> > > > > he
> > > can't
> > > > > access his account.
> > > > >
> > > > > However, if I leave myself logged in as administrator, and just
> switch
> > > > > accounts, he can then access his account normally. As soon as I
> > > > > do
> a
> > > full
> > > > > admin account logout, rather than a simple switch, his user
> > > > > account
> > > > > once
> > > > > again becomes inaccessible.
> > > > >
> > > > >
> > > > > Anyone have any ideas what is going wrong here? Am I missing
> > > > > something
> > > > > obvious?
> > > > >
> > > > > Rob
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>

OK. I managed to reproduce. I have a solution, but no specific answers.

The problem is when admin is denied at the "Documents and settings\[user]"
level. Something within that hierarchy doesn't care for admin to be denied
and I didn't bother with checking which specific directory. Leaving
"Documents and Settings\[user]\My Documents" as admin denied is fine
however. Could be some of the other structures will be have as well, but
I've not pursued it. What I don't understand as well, is why having an admin
log on first then concurrently logging in the restricted user works. That's
just a wee bit confusing.

The difficult thing about chasing this down is the fact that a reboot is
required to validate things. I suspect there's some thing a bit strange
going on security wise with fast user switching, but I can't put a finger on
it.

Regardless the solution is to grant full admin rights to the "Documents and
Settings\[user]" hierarchy and to then apply that to all child objects via
the advanced button on the security tab. This basically puts you back to
square one, but you should then be able to deny admin on sub directories.

--
Walter Clayton - MS MVP(WinXP)
Associate Expert
http://www.microsoft.com/windowsxp/expertzone
Any technology distinguishable from magic is insufficiently advanced.
http://www.dts-l.org
http://support.microsoft.com/servicedesks/fileversion/default.asp


"Rob Naylor" > wrote in message
...
> Walter,
>
> Yes, if the admin denial is taken off, everything's fine.
>
> Rob
>
> "Walter Clayton" > wrote in message
> ...
> > Unless he's looking at the event log as long as you reset the
> > permissions,
> > he can't know. ;-)
> >
> > OK. I just started a 12 hour download on my Pro machine (I just love
> > being
> > bandwidth challenged), which is what I'll need to see if I can simulate
> > what's going on. If you're used to the NT security paradigm, then
> > there's
> > not much difference with XP. Some of the tools may be different and how
> you
> > get there may be different, but other wise the concept is the same.
> >
> > Do things work otherwise correctly if the admin denial is removed?
> >
> > --
> > Walter Clayton - MS MVP(WinXP)
> > Associate Expert
> > http://www.microsoft.com/windowsxp/expertzone
> > Any technology distinguishable from magic is insufficiently advanced.
> > http://www.dts-l.org
> > http://support.microsoft.com/servicedesks/fileversion/default.asp
> >
> >
> > "Rob Naylor" > wrote in message
> > ...
> > > Walter,
> > >
> > > Thanks for th input.
> > >
> > > I know that, if he takes ownership and locks me out of his folders,
> > > that
> I
> > > can reset the permissions myself ( or I assumed I could, since I can
> > > in
> > > NT)
> > > but I didn't think I could do it without him being aware of it (unless
> I'm
> > > wrong on that point) if he's got ownership of his folders. That was
> > > the
> > > main point...that he'd know if I *did* look.
> > >
> > > He's only a member of the basic user group. No other groups, apart
> > > from
> > > the
> > > brief time he had administrator privileges, but the access level was
> reset
> > > since then. The way his account is currently set up, he's supposedly
> not
> > > denied access to his folders, according to the security settings,
> > > though
> > > administrators are.
> > >
> > > The reality is that unless I have the admin account logged on, though
> > > inactive, he can't even log into his own account, never mind access
> > > his
> > > folders. As soon as I log into my admin a/c and then hit "switch
> users",
> > > he
> > > can log in and see his folders.
> > >
> > > Very puzzling. I don't really want to have an admin account "open" on
> the
> > > system all the time, even though it required a password to activate
> > > it.
> > > It's messy and it *can't* be the way the system's meant to operate.
> > >
> > > Rob
> > >
> > >
> > > "Walter Clayton" > wrote in message
> > > ...
> > > > Assuming you're using standard MS security tools, there is a couple
> > > > of
> > > > things you need be aware of.
> > > >
> > > > First, as an administrator you have access to all the data on the
> > > > machine.
> > > > Yes, your son can go through the motions of thinking he has you
> > > > locked
> > > out,
> > > > but you can easily gain access to the data. In fact you can set and
> > > > reset
> > > > the permissions yourself without him having to do it.
> > > >
> > > > Second thing is that if an individual user is part of multiple
> > > > groups
> > > > and
> > > > any of those groups have deny set, then deny takes precedent. Review
> the
> > > > groups that he's part of.
> > > >
> > > > What I can't fathom is why access is granted in a multiple login
> > > > scenario.
> > > > I'll have to play with a bit when I have the time.
> > > >
> > > > --
> > > > Walter Clayton - MS MVP(WinXP)
> > > > Associate Expert
> > > > http://www.microsoft.com/windowsxp/expertzone
> > > > Any technology distinguishable from magic is insufficiently
> > > > advanced.
> > > > http://www.dts-l.org
> > > > http://support.microsoft.com/servicedesks/fileversion/default.asp
> > > >
> > > >
> > > > "Rob Naylor" > wrote in message
> > > > ...
> > > > > Posted this a couple of days ago, but had no replies. It's still
> > > > > a
> > > > > problem,
> > > > > and I can't see what we're doing wrong re permissions etc:
> > > > >
> > > > > I have an administrator account and the rest of the family logs on
> as
> > > > > basic
> > > > > users.
> > > > >
> > > > > My son understandably doesn't want me to have the ability to poke
> > > > > around
> > > > > in
> > > > > his files , so took ownership of his folders/files and changed
> access
> > > > > rules
> > > > > to deny them to administrators. This was fine until he wanted to
> load
> > > > > some
> > > > > of the legacy executable files he had loaded into these folders
> > > > > from
> > > > > his
> > > > > backed up files off our old machine.
> > > > > As a basic user he could not load these.
> > > > >
> > > > > The first time he wanted to load software, he took off the "deny"
> > > > > option
> > > > > for
> > > > > administrators on his folders, and we then switched accounts and I
> > > > > installed
> > > > > the applications, which I'd previously been unable to see, for
> > > > > him.
> > > > > He
> > > > > then
> > > > > put the "deny" administrator access back on from his own account.
> > > > > After
> > > > > logging out, when he tried to log back in again, he was denied
> access
> > > > > to
> > > > > his
> > > > > account.
> > > > >
> > > > > Fortunately, we'd created a restore point, so got things back
> > > > > again
> > > > > quickly.
> > > > >
> > > > > For the next attempt to load his applications, I temporarily made
> his
> > > > > account an
> > > > > admin account. He allowed access to his folders to administrators/
> > > > > everyone
> > > > > and loaded his required applications himself. He then logged out,
> > > > > I
> > > > > logged
> > > > > in as administrator and reconfigured his account to be a basic
> > > > > user
> > > only.
> > > > > At this stage administrators still had access to his files ( I
> checked
> > > > > that
> > > > > I
> > > > > could see his folders/ run his applications from my admin
> > > > > account).
> > > > > He
> > > > > then
> > > > > went back into his (once again basic user only ) account and once
> more
> > > set
> > > > > the permissions to deny access to administators.
> > > > >
> > > > > From what I can see, the situation should now have been exactly as
> it
> > > was
> > > > > prior to loading the applications...ie, he has access to his
> > > > > account
>
> > > > > but
> > > I
> > > > > can't see his folders when logged in as administrator. However,
> once
> > > > > again, having logged out and tried to log back in, he finds that
> > > > > he
> > > can't
> > > > > access his account.
> > > > >
> > > > > However, if I leave myself logged in as administrator, and just
> switch
> > > > > accounts, he can then access his account normally. As soon as I
> > > > > do
> a
> > > full
> > > > > admin account logout, rather than a simple switch, his user
> > > > > account
> > > > > once
> > > > > again becomes inaccessible.
> > > > >
> > > > >
> > > > > Anyone have any ideas what is going wrong here? Am I missing
> > > > > something
> > > > > obvious?
> > > > >
> > > > > Rob
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>

Walter,

Thanks very much for spending the time running this down. I'll follow your
suggestions and take it from there.

Thanks again!

Rob

"Walter Clayton" > wrote in message
...
> OK. I managed to reproduce. I have a solution, but no specific answers.
>
> The problem is when admin is denied at the "Documents and settings\[user]"
> level. Something within that hierarchy doesn't care for admin to be denied
> and I didn't bother with checking which specific directory. Leaving
> "Documents and Settings\[user]\My Documents" as admin denied is fine
> however. Could be some of the other structures will be have as well, but
> I've not pursued it. What I don't understand as well, is why having an
admin
> log on first then concurrently logging in the restricted user works.
That's
> just a wee bit confusing.
>
> The difficult thing about chasing this down is the fact that a reboot is
> required to validate things. I suspect there's some thing a bit strange
> going on security wise with fast user switching, but I can't put a finger
on
> it.
>
> Regardless the solution is to grant full admin rights to the "Documents
and
> Settings\[user]" hierarchy and to then apply that to all child objects via
> the advanced button on the security tab. This basically puts you back to
> square one, but you should then be able to deny admin on sub directories.
>
> --
> Walter Clayton - MS MVP(WinXP)
> Associate Expert
> http://www.microsoft.com/windowsxp/expertzone
> Any technology distinguishable from magic is insufficiently advanced.
> http://www.dts-l.org
> http://support.microsoft.com/servicedesks/fileversion/default.asp
>
>
> "Rob Naylor" > wrote in message
> ...
> > Walter,
> >
> > Yes, if the admin denial is taken off, everything's fine.
> >
> > Rob
> >
> > "Walter Clayton" > wrote in message
> > ...
> > > Unless he's looking at the event log as long as you reset the
> > > permissions,
> > > he can't know. ;-)
> > >
> > > OK. I just started a 12 hour download on my Pro machine (I just love
> > > being
> > > bandwidth challenged), which is what I'll need to see if I can
simulate
> > > what's going on. If you're used to the NT security paradigm, then
> > > there's
> > > not much difference with XP. Some of the tools may be different and
how
> > you
> > > get there may be different, but other wise the concept is the same.
> > >
> > > Do things work otherwise correctly if the admin denial is removed?
> > >
> > > --
> > > Walter Clayton - MS MVP(WinXP)
> > > Associate Expert
> > > http://www.microsoft.com/windowsxp/expertzone
> > > Any technology distinguishable from magic is insufficiently advanced.
> > > http://www.dts-l.org
> > > http://support.microsoft.com/servicedesks/fileversion/default.asp
> > >
> > >
> > > "Rob Naylor" > wrote in message
> > > ...
> > > > Walter,
> > > >
> > > > Thanks for th input.
> > > >
> > > > I know that, if he takes ownership and locks me out of his folders,
> > > > that
> > I
> > > > can reset the permissions myself ( or I assumed I could, since I can
> > > > in
> > > > NT)
> > > > but I didn't think I could do it without him being aware of it
(unless
> > I'm
> > > > wrong on that point) if he's got ownership of his folders. That was
> > > > the
> > > > main point...that he'd know if I *did* look.
> > > >
> > > > He's only a member of the basic user group. No other groups, apart
> > > > from
> > > > the
> > > > brief time he had administrator privileges, but the access level was
> > reset
> > > > since then. The way his account is currently set up, he's
supposedly
> > not
> > > > denied access to his folders, according to the security settings,
> > > > though
> > > > administrators are.
> > > >
> > > > The reality is that unless I have the admin account logged on,
though
> > > > inactive, he can't even log into his own account, never mind access
> > > > his
> > > > folders. As soon as I log into my admin a/c and then hit "switch
> > users",
> > > > he
> > > > can log in and see his folders.
> > > >
> > > > Very puzzling. I don't really want to have an admin account "open"
on
> > the
> > > > system all the time, even though it required a password to activate
> > > > it.
> > > > It's messy and it *can't* be the way the system's meant to operate.
> > > >
> > > > Rob
> > > >
> > > >
> > > > "Walter Clayton" > wrote in message
> > > > ...
> > > > > Assuming you're using standard MS security tools, there is a
couple
> > > > > of
> > > > > things you need be aware of.
> > > > >
> > > > > First, as an administrator you have access to all the data on the
> > > > > machine.
> > > > > Yes, your son can go through the motions of thinking he has you
> > > > > locked
> > > > out,
> > > > > but you can easily gain access to the data. In fact you can set
and
> > > > > reset
> > > > > the permissions yourself without him having to do it.
> > > > >
> > > > > Second thing is that if an individual user is part of multiple
> > > > > groups
> > > > > and
> > > > > any of those groups have deny set, then deny takes precedent.
Review
> > the
> > > > > groups that he's part of.
> > > > >
> > > > > What I can't fathom is why access is granted in a multiple login
> > > > > scenario.
> > > > > I'll have to play with a bit when I have the time.
> > > > >
> > > > > --
> > > > > Walter Clayton - MS MVP(WinXP)
> > > > > Associate Expert
> > > > > http://www.microsoft.com/windowsxp/expertzone
> > > > > Any technology distinguishable from magic is insufficiently
> > > > > advanced.
> > > > > http://www.dts-l.org
> > > > > http://support.microsoft.com/servicedesks/fileversion/default.asp
> > > > >
> > > > >
> > > > > "Rob Naylor" > wrote in message
> > > > > ...
> > > > > > Posted this a couple of days ago, but had no replies. It's
still
> > > > > > a
> > > > > > problem,
> > > > > > and I can't see what we're doing wrong re permissions etc:
> > > > > >
> > > > > > I have an administrator account and the rest of the family logs
on
> > as
> > > > > > basic
> > > > > > users.
> > > > > >
> > > > > > My son understandably doesn't want me to have the ability to
poke
> > > > > > around
> > > > > > in
> > > > > > his files , so took ownership of his folders/files and changed
> > access
> > > > > > rules
> > > > > > to deny them to administrators. This was fine until he wanted
to
> > load
> > > > > > some
> > > > > > of the legacy executable files he had loaded into these folders
> > > > > > from
> > > > > > his
> > > > > > backed up files off our old machine.
> > > > > > As a basic user he could not load these.
> > > > > >
> > > > > > The first time he wanted to load software, he took off the
"deny"
> > > > > > option
> > > > > > for
> > > > > > administrators on his folders, and we then switched accounts and
I
> > > > > > installed
> > > > > > the applications, which I'd previously been unable to see, for
> > > > > > him.
> > > > > > He
> > > > > > then
> > > > > > put the "deny" administrator access back on from his own
account.
> > > > > > After
> > > > > > logging out, when he tried to log back in again, he was denied
> > access
> > > > > > to
> > > > > > his
> > > > > > account.
> > > > > >
> > > > > > Fortunately, we'd created a restore point, so got things back
> > > > > > again
> > > > > > quickly.
> > > > > >
> > > > > > For the next attempt to load his applications, I temporarily
made
> > his
> > > > > > account an
> > > > > > admin account. He allowed access to his folders to
administrators/
> > > > > > everyone
> > > > > > and loaded his required applications himself. He then logged
out,
> > > > > > I
> > > > > > logged
> > > > > > in as administrator and reconfigured his account to be a basic
> > > > > > user
> > > > only.
> > > > > > At this stage administrators still had access to his files ( I
> > checked
> > > > > > that
> > > > > > I
> > > > > > could see his folders/ run his applications from my admin
> > > > > > account).
> > > > > > He
> > > > > > then
> > > > > > went back into his (once again basic user only ) account and
once
> > more
> > > > set
> > > > > > the permissions to deny access to administators.
> > > > > >
> > > > > > From what I can see, the situation should now have been exactly
as
> > it
> > > > was
> > > > > > prior to loading the applications...ie, he has access to his
> > > > > > account
> >
> > > > > > but
> > > > I
> > > > > > can't see his folders when logged in as administrator.
However,
> > once
> > > > > > again, having logged out and tried to log back in, he finds that
> > > > > > he
> > > > can't
> > > > > > access his account.
> > > > > >
> > > > > > However, if I leave myself logged in as administrator, and just
> > switch
> > > > > > accounts, he can then access his account normally. As soon as I
> > > > > > do
> > a
> > > > full
> > > > > > admin account logout, rather than a simple switch, his user
> > > > > > account
> > > > > > once
> > > > > > again becomes inaccessible.
> > > > > >
> > > > > >
> > > > > > Anyone have any ideas what is going wrong here? Am I missing
> > > > > > something
> > > > > > obvious?
> > > > > >
> > > > > > Rob
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>

Walter,

Thanks very much for spending the time running this down. I'll follow your
suggestions and take it from there.

Thanks again!

Rob

"Walter Clayton" > wrote in message
...
> OK. I managed to reproduce. I have a solution, but no specific answers.
>
> The problem is when admin is denied at the "Documents and settings\[user]"
> level. Something within that hierarchy doesn't care for admin to be denied
> and I didn't bother with checking which specific directory. Leaving
> "Documents and Settings\[user]\My Documents" as admin denied is fine
> however. Could be some of the other structures will be have as well, but
> I've not pursued it. What I don't understand as well, is why having an
admin
> log on first then concurrently logging in the restricted user works.
That's
> just a wee bit confusing.
>
> The difficult thing about chasing this down is the fact that a reboot is
> required to validate things. I suspect there's some thing a bit strange
> going on security wise with fast user switching, but I can't put a finger
on
> it.
>
> Regardless the solution is to grant full admin rights to the "Documents
and
> Settings\[user]" hierarchy and to then apply that to all child objects via
> the advanced button on the security tab. This basically puts you back to
> square one, but you should then be able to deny admin on sub directories.
>
> --
> Walter Clayton - MS MVP(WinXP)
> Associate Expert
> http://www.microsoft.com/windowsxp/expertzone
> Any technology distinguishable from magic is insufficiently advanced.
> http://www.dts-l.org
> http://support.microsoft.com/servicedesks/fileversion/default.asp
>
>
> "Rob Naylor" > wrote in message
> ...
> > Walter,
> >
> > Yes, if the admin denial is taken off, everything's fine.
> >
> > Rob
> >
> > "Walter Clayton" > wrote in message
> > ...
> > > Unless he's looking at the event log as long as you reset the
> > > permissions,
> > > he can't know. ;-)
> > >
> > > OK. I just started a 12 hour download on my Pro machine (I just love
> > > being
> > > bandwidth challenged), which is what I'll need to see if I can
simulate
> > > what's going on. If you're used to the NT security paradigm, then
> > > there's
> > > not much difference with XP. Some of the tools may be different and
how
> > you
> > > get there may be different, but other wise the concept is the same.
> > >
> > > Do things work otherwise correctly if the admin denial is removed?
> > >
> > > --
> > > Walter Clayton - MS MVP(WinXP)
> > > Associate Expert
> > > http://www.microsoft.com/windowsxp/expertzone
> > > Any technology distinguishable from magic is insufficiently advanced.
> > > http://www.dts-l.org
> > > http://support.microsoft.com/servicedesks/fileversion/default.asp
> > >
> > >
> > > "Rob Naylor" > wrote in message
> > > ...
> > > > Walter,
> > > >
> > > > Thanks for th input.
> > > >
> > > > I know that, if he takes ownership and locks me out of his folders,
> > > > that
> > I
> > > > can reset the permissions myself ( or I assumed I could, since I can
> > > > in
> > > > NT)
> > > > but I didn't think I could do it without him being aware of it
(unless
> > I'm
> > > > wrong on that point) if he's got ownership of his folders. That was
> > > > the
> > > > main point...that he'd know if I *did* look.
> > > >
> > > > He's only a member of the basic user group. No other groups, apart
> > > > from
> > > > the
> > > > brief time he had administrator privileges, but the access level was
> > reset
> > > > since then. The way his account is currently set up, he's
supposedly
> > not
> > > > denied access to his folders, according to the security settings,
> > > > though
> > > > administrators are.
> > > >
> > > > The reality is that unless I have the admin account logged on,
though
> > > > inactive, he can't even log into his own account, never mind access
> > > > his
> > > > folders. As soon as I log into my admin a/c and then hit "switch
> > users",
> > > > he
> > > > can log in and see his folders.
> > > >
> > > > Very puzzling. I don't really want to have an admin account "open"
on
> > the
> > > > system all the time, even though it required a password to activate
> > > > it.
> > > > It's messy and it *can't* be the way the system's meant to operate.
> > > >
> > > > Rob
> > > >
> > > >
> > > > "Walter Clayton" > wrote in message
> > > > ...
> > > > > Assuming you're using standard MS security tools, there is a
couple
> > > > > of
> > > > > things you need be aware of.
> > > > >
> > > > > First, as an administrator you have access to all the data on the
> > > > > machine.
> > > > > Yes, your son can go through the motions of thinking he has you
> > > > > locked
> > > > out,
> > > > > but you can easily gain access to the data. In fact you can set
and
> > > > > reset
> > > > > the permissions yourself without him having to do it.
> > > > >
> > > > > Second thing is that if an individual user is part of multiple
> > > > > groups
> > > > > and
> > > > > any of those groups have deny set, then deny takes precedent.
Review
> > the
> > > > > groups that he's part of.
> > > > >
> > > > > What I can't fathom is why access is granted in a multiple login
> > > > > scenario.
> > > > > I'll have to play with a bit when I have the time.
> > > > >
> > > > > --
> > > > > Walter Clayton - MS MVP(WinXP)
> > > > > Associate Expert
> > > > > http://www.microsoft.com/windowsxp/expertzone
> > > > > Any technology distinguishable from magic is insufficiently
> > > > > advanced.
> > > > > http://www.dts-l.org
> > > > > http://support.microsoft.com/servicedesks/fileversion/default.asp
> > > > >
> > > > >
> > > > > "Rob Naylor" > wrote in message
> > > > > ...
> > > > > > Posted this a couple of days ago, but had no replies. It's
still
> > > > > > a
> > > > > > problem,
> > > > > > and I can't see what we're doing wrong re permissions etc:
> > > > > >
> > > > > > I have an administrator account and the rest of the family logs
on
> > as
> > > > > > basic
> > > > > > users.
> > > > > >
> > > > > > My son understandably doesn't want me to have the ability to
poke
> > > > > > around
> > > > > > in
> > > > > > his files , so took ownership of his folders/files and changed
> > access
> > > > > > rules
> > > > > > to deny them to administrators. This was fine until he wanted
to
> > load
> > > > > > some
> > > > > > of the legacy executable files he had loaded into these folders
> > > > > > from
> > > > > > his
> > > > > > backed up files off our old machine.
> > > > > > As a basic user he could not load these.
> > > > > >
> > > > > > The first time he wanted to load software, he took off the
"deny"
> > > > > > option
> > > > > > for
> > > > > > administrators on his folders, and we then switched accounts and
I
> > > > > > installed
> > > > > > the applications, which I'd previously been unable to see, for
> > > > > > him.
> > > > > > He
> > > > > > then
> > > > > > put the "deny" administrator access back on from his own
account.
> > > > > > After
> > > > > > logging out, when he tried to log back in again, he was denied
> > access
> > > > > > to
> > > > > > his
> > > > > > account.
> > > > > >
> > > > > > Fortunately, we'd created a restore point, so got things back
> > > > > > again
> > > > > > quickly.
> > > > > >
> > > > > > For the next attempt to load his applications, I temporarily
made
> > his
> > > > > > account an
> > > > > > admin account. He allowed access to his folders to
administrators/
> > > > > > everyone
> > > > > > and loaded his required applications himself. He then logged
out,
> > > > > > I
> > > > > > logged
> > > > > > in as administrator and reconfigured his account to be a basic
> > > > > > user
> > > > only.
> > > > > > At this stage administrators still had access to his files ( I
> > checked
> > > > > > that
> > > > > > I
> > > > > > could see his folders/ run his applications from my admin
> > > > > > account).
> > > > > > He
> > > > > > then
> > > > > > went back into his (once again basic user only ) account and
once
> > more
> > > > set
> > > > > > the permissions to deny access to administators.
> > > > > >
> > > > > > From what I can see, the situation should now have been exactly
as
> > it
> > > > was
> > > > > > prior to loading the applications...ie, he has access to his
> > > > > > account
> >
> > > > > > but
> > > > I
> > > > > > can't see his folders when logged in as administrator.
However,
> > once
> > > > > > again, having logged out and tried to log back in, he finds that
> > > > > > he
> > > > can't
> > > > > > access his account.
> > > > > >
> > > > > > However, if I leave myself logged in as administrator, and just
> > switch
> > > > > > accounts, he can then access his account normally. As soon as I
> > > > > > do
> > a
> > > > full
> > > > > > admin account logout, rather than a simple switch, his user
> > > > > > account
> > > > > > once
> > > > > > again becomes inaccessible.
> > > > > >
> > > > > >
> > > > > > Anyone have any ideas what is going wrong here? Am I missing
> > > > > > something
> > > > > > obvious?
> > > > > >
> > > > > > Rob
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>