[SOLVED] Staff/Students can delete Windows directory contents?!

[link470]

I'm not sure if this is normal behavior or not for a Windows Domain. All clients are running Windows XP Pro and servers are 2003 Standard/Enterprise. All users are configured as standard users with no elevated privileges. For whatever reason, yesterday I was playing around in my teacher clone account on a student computer and was testing to see if something worked, but noticed I could also delete folders and add folders to the Windows directory and Program Files. That shocked me, I wasn't expecting that. I tried a student account too, and to my surprise, I could do the exact same thing. These systems were deep frozen so I wasn't concerned about data loss, but I'm concerned that they have that level of privileges. I've already gone into Active Directory and double checked that no users are Administrators and no groups the users are a part of are Administrators. Policies are being applied, I still can't access Computer Management and everything else that should be locked down according to policy, is. But is this normal?! Have they been able to do this all along?

One of the things that made me clue in before I tried the Windows dir and the Program Files dir, was that I could go into documents and settings, and open another user profile folder that I had just logged in as. Correct me if I'm wrong, but those should all say Access is Denied upon trying to access a Documents and Settings folder that isn't yours.

Any thoughts of how to stop this? I'm puzzled. Students and staff obviously don't know they have this privilege but I'd rather fix it fairly quick. I don't want to band aid fix it either, I'm curious as to what actually made this happen.

Thanks as always

[oxide54]

login as administrator and run computer management, and check the membership of the "Local Administrators" group.

If not then, you have GPO's giving them permission.

Why not right click on program files and check the security tab to see the actual permissions that way you'll be able to work how they are getting the permission.


pretty basic stuff.

[Grommit]

I'm not sure if this is normal behavior or not for a Windows Domain. All clients are running Windows XP Pro and servers are 2003 Standard/Enterprise. All users are configured as standard users with no elevated privileges. For whatever reason, yesterday I was playing around in my teacher clone account on a student computer and was testing to see if something worked, but noticed I could also delete folders and add folders to the Windows directory and Program Files. That shocked me, I wasn't expecting that. I tried a student account too, and to my surprise, I could do the exact same thing. These systems were deep frozen so I wasn't concerned about data loss, but I'm concerned that they have that level of privileges. I've already gone into Active Directory and double checked that no users are Administrators and no groups the users are a part of are Administrators. Policies are being applied, I still can't access Computer Management and everything else that should be locked down according to policy, is. But is this normal?! Have they been able to do this all along?

One of the things that made me clue in before I tried the Windows dir and the Program Files dir, was that I could go into documents and settings, and open another user profile folder that I had just logged in as. Correct me if I'm wrong, but those should all say Access is Denied upon trying to access a Documents and Settings folder that isn't yours.

Any thoughts of how to stop this? I'm puzzled. Students and staff obviously don't know they have this privilege but I'd rather fix it fairly quick. I don't want to band aid fix it either, I'm curious as to what actually made this happen.

Thanks as always

Are you running roaming profiles ? If so you need to change it to Mandatory profiles.. that locks the desktop

[cookie_monster]

Are you running roaming profiles ? If so you need to change it to Mandatory profiles.. that locks the desktop

I think this is a much bigger issue than locking down the desktop. Either the users are admins or possibly 'power users' or somehow the permissions have been changed so users have full control over those folders.

My money is on someone making domain users part of the local power users group to get certain applications to work.

[link470]

I just got a machine I'm in the middle of creating an image behind me. I logged in as a teacher and student, everything is how it should be. The other machines in the school though are all frozen via Deep Freeze. I would have checked the security tab but didn't think about it because policies are applied at the moment to prevent the security tab from showing up. But I'll go try to log in as a local administrator and see what's happening. I'll post back within an hour. It's possible it's a policy but I don't know what kind of twisted policy I would have set to make them have that kind of permission. Also, policies are applied equally to the computer behind me that I'm building an image for, and everything worked properly.

Thanks guys!

::EDIT::

Oh wow...delete this thread right now. lol. I MAY...or MAY NOT....have set my test accounts to be administrators on every machine a long time ago...for something...and forgot about it....MAYBE...I won't confirm or deny that...

AH HEM...

So! How's everyones daaaayyy? *slips quickly out the nearest conveniently placed door*

[cookie_monster]

Hahaha it happens.

[srochford]

Maybe a useful command to know is:

net localgroup administrators

It will show you who has local admin rights (anyone can run this command) - if it's got anything other than "administrator" and "domain admins" and you don't know what the other groups or users are there for then do some checking.

If there are only the expected groups there then do:

net group "domain admins" /domain

again, do you recognise the people in the list? If not - find out who they are!