|
Home > Archive > 70-217 > December 2002 > Multiple OSes - Admin account
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Multiple OSes - Admin account
|
|
| Riverwind6 2002-12-22, 6:17 pm |
| Hi guys,
10 minutes ago I was playing with my test computer which has a win2000 DC on one partition, a 2k standalone server on another partition and a 2k pro on yet another partition.
I was in 2k Pro and was browsing through Windows Explorer(I had time to kill). I then decided to try deleting the SYSVOL folder of my 2K DC and it worked!!!
I was so sure it wouldnt allow me... I was logged on as admin in 2k pro.
Is this normal behaviour??? | |
| jeff_j_black 2002-12-23, 7:52 am |
| Administrator and system have full control of the sysvol folder.
Just remember though, each seperate installation on a multi boot setup like yours has it's own distinct security context. You might be logging in as the same username and password, but it is a different account under each installation.
If you boot into the workstation and log in as administrator, the 2k server dc is not the means by which you are authenticating because it is offline (due to the multi boot). So you are logged in as the local 'administrator' to that installation of workstation. Same would hold for the stand-alone. When logging into the DC you have a choice of administrative log ins. You can log into the computer as the local administrator or the domain as the enterprise administrator.
You'll have a hard time grasping share and folder (NTFS) permissions on a single computer in a multi boot environment. | |
| Turbodog 2002-12-23, 8:00 am |
| I would think so, since you are multi-booting and your partitiions are obviously formatted NTFS, which means you should be able to see all three partitions. | |
|
| quote:
Originally posted by Riverwind6
Hi guys,
10 minutes ago I was playing with my test computer which has a win2000 DC on one partition, a 2k standalone server on another partition and a 2k pro on yet another partition.
I was in 2k Pro and was browsing through Windows Explorer(I had time to kill). I then decided to try deleting the SYSVOL folder of my 2K DC and it worked!!!
I was so sure it wouldnt allow me... I was logged on as admin in 2k pro.
Is this normal behaviour???
of course, no matter you have the number of partitions you want, if you are administrator you can erase all the folders you try to erase... | |
| chodan 2002-12-23, 10:02 pm |
| How does multi boot affect EFS? | |
| Riverwind6 2002-12-23, 10:51 pm |
| cm2jg and jeff, you say two diferent things.
jeff, i understand what you say and I definately agree with it. But the thing is, I WAS able to delete files on my DC partition logged in from win2kPro on the same pc as Administrator.
Simply put, from 2KPro as Administrator, I could erase my SYSVOL folder on my 2KServer DC partition.
I thought it wouldnt allow me because of ntfs permissions...
But it seems if youre an administrator on a machine, you can delete any folders on any other partition even if they were created with another OS installation.....
Its hard to put in words but I think the concept is clear.... | |
| cm2gj 2002-12-23, 11:46 pm |
| quote:
Originally posted by chodan
How does multi boot affect EFS?
you can`t delete a folder or files with EFS encyption if you are a different user who own the files. no matter you use the same user name. | |
| jeff_j_black 2002-12-24, 9:53 am |
| quote:
jeff, i understand what you say and I definately agree with it. But the thing is, I WAS able to delete files on my DC partition logged in from win2kPro on the same pc as Administrator.
When you logged on to the 2k Pro Administrator account, you took full control ownership of everything on that computer. The only files you will find that you cannot delete will be system files that are in use by windows.
The point I want to caution on, is that in your scenario you are working in three different security contexts.
When you log into the Domain Controller, you can log in as the Local Administrator, or as the user named Administrator in your Domain.
When you log onto either the Stand-Alone server or 2k Pro Workstation, you are in the security context of that local machine. You aren't logging into the Domain, because it is offline.
While these concepts don't directly impact the situation involving what files you can delete, I wanted to highlight them.
But if you go to the Sysvol folder on the DC partition, while logged into 2k Pro, examine the NTFS properties of that folder, especially Security Permissions, you will see why you can delete it.
As for certificates, if the certificate is accessible, and the source is trusted, and it can be verified, then the certificate should work, but it is going to be mapped to that specific user or computer. EFS would require the correct security context of the specific user that owns it. I don't know if the recovery agent from one context could access EFS files from another security context, but I would expect not.
Happy Holidays and Well Wishes to all, into the New Year!!!
I want to thank all of the posters on this board for being a part of my own successful completion of both MCSE and CCNA this year. Without this community, I don't know if I would have had the same result. I pray that each of you can realize whatever determinations you have for this year and the years to come. | |
|
| quote:
Originally posted by jeff_j_black
When you logged on to the 2k Pro Administrator account, you took full control ownership of everything on that computer. The only files you will find that you cannot delete will be system files that are in use by windows.
The point I want to caution on, is that in your scenario you are working in three different security contexts.
When you log into the Domain Controller, you can log in as the Local Administrator, or as the user named Administrator in your Domain.
When you log onto either the Stand-Alone server or 2k Pro Workstation, you are in the security context of that local machine. You aren't logging into the Domain, because it is offline.
While these concepts don't directly impact the situation involving what files you can delete, I wanted to highlight them.
But if you go to the Sysvol folder on the DC partition, while logged into 2k Pro, examine the NTFS properties of that folder, especially Security Permissions, you will see why you can delete it.
As for certificates, if the certificate is accessible, and the source is trusted, and it can be verified, then the certificate should work, but it is going to be mapped to that specific user or computer. EFS would require the correct security context of the specific user that owns it. I don't know if the recovery agent from one context could access EFS files from another security context, but I would expect not.
Happy Holidays and Well Wishes to all, into the New Year!!!
I want to thank all of the posters on this board for being a part of my own successful completion of both MCSE and CCNA this year. Without this community, I don't know if I would have had the same result. I pray that each of you can realize whatever determinations you have for this year and the years to come.
in some cases, no matter you are the local admin, you can`t delete certain folders. |
|
|
|
|