+ Post New Thread
Results 1 to 7 of 7
Windows Thread, [SOLVED] Staff/Students can delete Windows directory contents?! in Technical; I'm not sure if this is normal behavior or not for a Windows Domain. All clients are running Windows XP ...
  1. #1
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15

    [SOLVED] Staff/Students can delete Windows directory contents?!

    I'm not sure if this is normal behavior or not for a Windows Domain. All clients are running Windows XP Pro and servers are 2003 Standard/Enterprise. All users are configured as standard users with no elevated privileges. For whatever reason, yesterday I was playing around in my teacher clone account on a student computer and was testing to see if something worked, but noticed I could also delete folders and add folders to the Windows directory and Program Files. That shocked me, I wasn't expecting that. I tried a student account too, and to my surprise, I could do the exact same thing. These systems were deep frozen so I wasn't concerned about data loss, but I'm concerned that they have that level of privileges. I've already gone into Active Directory and double checked that no users are Administrators and no groups the users are a part of are Administrators. Policies are being applied, I still can't access Computer Management and everything else that should be locked down according to policy, is. But is this normal?! Have they been able to do this all along?

    One of the things that made me clue in before I tried the Windows dir and the Program Files dir, was that I could go into documents and settings, and open another user profile folder that I had just logged in as. Correct me if I'm wrong, but those should all say Access is Denied upon trying to access a Documents and Settings folder that isn't yours.

    Any thoughts of how to stop this? I'm puzzled. Students and staff obviously don't know they have this privilege but I'd rather fix it fairly quick. I don't want to band aid fix it either, I'm curious as to what actually made this happen.

    Thanks as always
    Last edited by link470; 4th March 2010 at 06:07 PM.

  2. #2
    oxide54's Avatar
    Join Date
    Mar 2009
    Posts
    798
    Thank Post
    51
    Thanked 55 Times in 54 Posts
    Rep Power
    22
    login as administrator and run computer management, and check the membership of the "Local Administrators" group.

    If not then, you have GPO's giving them permission.

    Why not right click on program files and check the security tab to see the actual permissions that way you'll be able to work how they are getting the permission.


    pretty basic stuff.

  3. #3
    Grommit's Avatar
    Join Date
    Sep 2006
    Location
    Weston-super-Mare
    Posts
    1,335
    Thank Post
    31
    Thanked 54 Times in 31 Posts
    Rep Power
    25
    Quote Originally Posted by link470 View Post
    I'm not sure if this is normal behavior or not for a Windows Domain. All clients are running Windows XP Pro and servers are 2003 Standard/Enterprise. All users are configured as standard users with no elevated privileges. For whatever reason, yesterday I was playing around in my teacher clone account on a student computer and was testing to see if something worked, but noticed I could also delete folders and add folders to the Windows directory and Program Files. That shocked me, I wasn't expecting that. I tried a student account too, and to my surprise, I could do the exact same thing. These systems were deep frozen so I wasn't concerned about data loss, but I'm concerned that they have that level of privileges. I've already gone into Active Directory and double checked that no users are Administrators and no groups the users are a part of are Administrators. Policies are being applied, I still can't access Computer Management and everything else that should be locked down according to policy, is. But is this normal?! Have they been able to do this all along?

    One of the things that made me clue in before I tried the Windows dir and the Program Files dir, was that I could go into documents and settings, and open another user profile folder that I had just logged in as. Correct me if I'm wrong, but those should all say Access is Denied upon trying to access a Documents and Settings folder that isn't yours.

    Any thoughts of how to stop this? I'm puzzled. Students and staff obviously don't know they have this privilege but I'd rather fix it fairly quick. I don't want to band aid fix it either, I'm curious as to what actually made this happen.

    Thanks as always
    Are you running roaming profiles ? If so you need to change it to Mandatory profiles.. that locks the desktop

  4. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by Grommit View Post
    Are you running roaming profiles ? If so you need to change it to Mandatory profiles.. that locks the desktop


    I think this is a much bigger issue than locking down the desktop. Either the users are admins or possibly 'power users' or somehow the permissions have been changed so users have full control over those folders.

    My money is on someone making domain users part of the local power users group to get certain applications to work.

  5. #5
    link470's Avatar
    Join Date
    Nov 2007
    Location
    Canada
    Posts
    250
    Thank Post
    85
    Thanked 8 Times in 6 Posts
    Rep Power
    15
    I just got a machine I'm in the middle of creating an image behind me. I logged in as a teacher and student, everything is how it should be. The other machines in the school though are all frozen via Deep Freeze. I would have checked the security tab but didn't think about it because policies are applied at the moment to prevent the security tab from showing up. But I'll go try to log in as a local administrator and see what's happening. I'll post back within an hour. It's possible it's a policy but I don't know what kind of twisted policy I would have set to make them have that kind of permission. Also, policies are applied equally to the computer behind me that I'm building an image for, and everything worked properly.

    Thanks guys!

    ::EDIT::

    Oh wow...delete this thread right now. lol. I MAY...or MAY NOT....have set my test accounts to be administrators on every machine a long time ago...for something...and forgot about it....MAYBE...I won't confirm or deny that...

    AH HEM...

    So! How's everyones daaaayyy? *slips quickly out the nearest conveniently placed door*
    Last edited by link470; 4th March 2010 at 05:56 PM.

  6. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Hahaha it happens.

  7. #7

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Maybe a useful command to know is:

    net localgroup administrators

    It will show you who has local admin rights (anyone can run this command) - if it's got anything other than "administrator" and "domain admins" and you don't know what the other groups or users are there for then do some checking.

    If there are only the expected groups there then do:

    net group "domain admins" /domain

    again, do you recognise the people in the list? If not - find out who they are!

SHARE:
+ Post New Thread

Similar Threads

  1. Blocking ALL Executables in Students Home Directory
    By markwilliamson2001 in forum Windows
    Replies: 31
    Last Post: 9th March 2010, 08:51 AM
  2. Help... Staff to delete Print jobs
    By timbo343 in forum Windows
    Replies: 10
    Last Post: 26th February 2010, 02:52 PM
  3. Replies: 4
    Last Post: 20th March 2009, 10:15 AM
  4. Replies: 1
    Last Post: 21st January 2007, 02:51 PM
  5. Replies: 32
    Last Post: 25th July 2005, 07:17 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •