Windows Thread, [SOLVED] Staff/Students can delete Windows directory contents?! in Technical; I'm not sure if this is normal behavior or not for a Windows Domain. All clients are running Windows XP ...
4th March 2010, 05:07 PM #1
[SOLVED] Staff/Students can delete Windows directory contents?!
I'm not sure if this is normal behavior or not for a Windows Domain. All clients are running Windows XP Pro and servers are 2003 Standard/Enterprise. All users are configured as standard users with no elevated privileges. For whatever reason, yesterday I was playing around in my teacher clone account on a student computer and was testing to see if something worked, but noticed I could also delete folders and add folders to the Windows directory and Program Files. That shocked me, I wasn't expecting that. I tried a student account too, and to my surprise, I could do the exact same thing. These systems were deep frozen so I wasn't concerned about data loss, but I'm concerned that they have that level of privileges. I've already gone into Active Directory and double checked that no users are Administrators and no groups the users are a part of are Administrators. Policies are being applied, I still can't access Computer Management and everything else that should be locked down according to policy, is. But is this normal?! Have they been able to do this all along?
One of the things that made me clue in before I tried the Windows dir and the Program Files dir, was that I could go into documents and settings, and open another user profile folder that I had just logged in as. Correct me if I'm wrong, but those should all say Access is Denied upon trying to access a Documents and Settings folder that isn't yours.
Any thoughts of how to stop this? I'm puzzled. Students and staff obviously don't know they have this privilege but I'd rather fix it fairly quick. I don't want to band aid fix it either, I'm curious as to what actually made this happen.
Thanks as always
Last edited by link470; 4th March 2010 at 06:07 PM.
IDG Tech News
4th March 2010, 05:13 PM #2
login as administrator and run computer management, and check the membership of the "Local Administrators" group.
If not then, you have GPO's giving them permission.
Why not right click on program files and check the security tab to see the actual permissions that way you'll be able to work how they are getting the permission.
pretty basic stuff.
4th March 2010, 05:15 PM #3
Are you running roaming profiles ? If so you need to change it to Mandatory profiles.. that locks the desktop
Originally Posted by link470
4th March 2010, 05:37 PM #4
Originally Posted by Grommit
I think this is a much bigger issue than locking down the desktop. Either the users are admins or possibly 'power users' or somehow the permissions have been changed so users have full control over those folders.
My money is on someone making domain users part of the local power users group to get certain applications to work.
4th March 2010, 05:40 PM #5
I just got a machine I'm in the middle of creating an image behind me. I logged in as a teacher and student, everything is how it should be. The other machines in the school though are all frozen via Deep Freeze. I would have checked the security tab but didn't think about it because policies are applied at the moment to prevent the security tab from showing up. But I'll go try to log in as a local administrator and see what's happening. I'll post back within an hour. It's possible it's a policy but I don't know what kind of twisted policy I would have set to make them have that kind of permission. Also, policies are applied equally to the computer behind me that I'm building an image for, and everything worked properly.
Oh wow...delete this thread right now. lol. I MAY...or MAY NOT....have set my test accounts to be administrators on every machine a long time ago...for something...and forgot about it....MAYBE...I won't confirm or deny that...
So! How's everyones daaaayyy? *slips quickly out the nearest conveniently placed door*
Last edited by link470; 4th March 2010 at 05:56 PM.
4th March 2010, 06:29 PM #6
4th March 2010, 08:18 PM #7
Maybe a useful command to know is:
net localgroup administrators
It will show you who has local admin rights (anyone can run this command) - if it's got anything other than "administrator" and "domain admins" and you don't know what the other groups or users are there for then do some checking.
If there are only the expected groups there then do:
net group "domain admins" /domain
again, do you recognise the people in the list? If not - find out who they are!
By markwilliamson2001 in forum Windows
Last Post: 9th March 2010, 08:51 AM
By timbo343 in forum Windows
Last Post: 26th February 2010, 02:52 PM
By reggiep in forum Scripts
Last Post: 20th March 2009, 10:15 AM
Last Post: 21st January 2007, 02:51 PM
By Ric_ in forum General Chat
Last Post: 25th July 2005, 07:17 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)