Windows Confidential: An Administrator Is Not the Administrator

TechNet Magazine

Printer Friendly Version

Send

TechNet

Windows Confidential: An Administra...

Tips

Use Terminal Services to Manage Hyper-V from an Older Version of Windows

If you want to manage Hyper-V servers from a computer running an earlier version of Microsoft Windows, such as Windows XP, here's what you need to know. ...

You can run Check Disk from the command line or within other utilities. At a command prompt, you can test the integrity of the E drive by typing these commands. ...

Use the Exchange Management Shell, based on Windows PowerShell, to create new mail and to create a new mailbox resource. Here are the cmdlets and the additional parameters you'll need. ...

Windows 7 offers new ways to manage your system and troubleshoot common problems. Learn about two new components that can help you keep your system running smoothly with less effort. ...

With the Microsoft Filter Pack, you can extend the Windows Search service to support more file types, including OneNote and Zip files. ...

The second of a two-part series, this installment discusses how automating password changes for SharePoint security accounts is complicated despite the fact that the SharePoint object model includes the necessary logic to carry out credential updates.

Pav Cherny

TechNet Magazine March 2009

...

NAP monitors the health of specified computers when they attempt to connect to a network and includes a number of mechanisms to enforce health requirements. This article gives readers an overview of these enforcement mechanisms and, as an example, takes a closer look at setting up DHCP enforcement

Greg Shields

TechNet Magazine May 2009

...

Read more!

Desktop Files: Mitigating Circumstances

It’s not enough to simply wait for security problems to surface and then try to eliminate them. Wes Miller explains how real security involves proactively seeking out the root causes of vulnerabilities and fixing them.

Wes Miller

TechNet Magazine March 2009

...

Windows 7 includes many new features and enhancements to help improve security. Here’s an overview of everything you’ll find, from the new Biometric Framework and AppLocker to improvements for BitLocker and UAC.

Chris Corio

TechNet Magazine May 2009

...

In this first part of a two part series, security expert Jesper Johansson delves into the concept of identity - What defines an identity? Who gets to control the information, and how do we ensure it is properly secured?

Jesper M. Johansson

TechNet Magazine June 2009

...

Read more!

Also by this Author

Windows Confidential: Building on the Past

Raymond explains how the one-time powerful Alpha AXP system came out of retirement to help develop a new generation of 64-bit systems.

Raymond Chen

TechNet Magazine August 2008

...

A look at how the DirectInput force feedback joystick interface specifies periodic forces—and some of the unexpected results.

Raymond Chen

TechNet Magazine December 2007

...

Raymond Chen looks at the evolution of the Alt+Tab hotkey and how the Alt+Esc hotkey has remained unscathed.

Raymond Chen

TechNet Magazine March 2009

...

Raymond Chen looks at the skewed relationship bugs have to errors, and explains why it's important that programmers suffer as well as give results.

Raymond Chen

TechNet Magazine October 2008

...

Depending on your point of view, cached credentials can be both a blessing and a curse. Raymond Chen explains how they work and how you can control them.

Raymond Chen

TechNet Magazine July 2009

...

Read more!

Popular Articles

Security: Advances in BitLocker Drive Encryption

Windows Vista SP1 and Windows Server 2008 introduce important changes to BitLocker, including support for data volumes and improved protection against cryptographic attacks. Byron Hynes explores the new features, demonstrates how to use BitLocker on a server, and discusses some of the recent media coverage affecting BitLocker.

Byron Hynes

TechNet Magazine June 2008

...

Why do attachment sizes increase when sending and receiving e-mail messages? How can you ensure databases on a passive node in a CCR cluster are defragmented during online maintenance? Can you use an external trust between forests? We answer these questions and more.

Henrik Walther

TechNet Magazine January 2009

...

Consolidating servers onto fewer physical machines has many advantages, but it is extremely important that you plan for your systems to be highly available. Here’s a guide to using Windows Server 2008 Failover Clustering to bring high availability to your Hyper-V virtual machines.

Steven Ekren

TechNet Magazine October 2008

...

The upcoming release of Microsoft Identity Lifecycle Manager “2” offers many new features and enhancements. Explore the new portal experience and find out how you can cut costs with self-service tools, increase security compliance with business process modeling, and reduce development time with simplified development tools.

Aung Oo

TechNet Magazine January 2009

...

The new Group Policy Preferences feature found in Windows Server 2008 and Windows Vista provides more than 3,000 settings, greatly expanding what administrators can do with Group Policy. Here’s a guide to using Group Policy Preferences to manage your environment.

Derek Melber

TechNet Magazine January 2009

...

Read more!

Our Blog

Geek of all Trades: Control Network Access Using DHCP Enforcement

NAP monitors the health of specified computers when they attempt to connect to a network and includes a number of mechanisms to enforce health requirements. In this article, Geek of All Trades Greg Shields gives readers an overview of these enforcement mechanisms and, as an example, takes a closer look at setting ...

Use Windows PowerShell to Manage Virtual Machines Here are a few examples of how you can use Windows PowerShell scripts to manage virtual machines running on a Server Core installation. Note that these scripts are presented as samples and may need to be customized to work in your environment.

Create a New ...

Disabling an Unused Part of Group Policy Objects One way to disable a policy is to disable an unused part of the GPO. By disabling part of a policy that isn’t used, the application of GPOs and security will be faster.

Administer Windows Server 2008 Server Core from the Command Prompt ...

In the August 2008 issue of TechNet Magazine, Paul Randal wrote an article Top Tips for Effective Database Maintenance. It was geared toward "involuntary DBAs" (IT pros who inadvertently wind up responsible for a SQL Server instance). The article had a great response from our readers so Paul has written another ...

Read more!

Forefront Security

Microsoft Forefront is designed to deliver an integrated security solution that makes it much easier to deploy and manage security across an organization’s IT infrastructure. In this, our annual security issue, we feature two articles that describe how Forefront Security protects instant messaging and e-mail.

Protect ...

Read more!

Windows Confidential An Administrator Is Not the Administrator

Raymond Chen

I came across a report from a user who was trying to set the owner of a file to "Administrator." The user was unable to do this even though he was logged on as an administrator. Why won’t the system let an administrator change the owner of a file to Administrator? Don’t administrators have permission to take ownership of files?

But you see, "Administrator" and "Administrators" are not the same. That plural marker means all the difference. Indeed, the subtlety of that plural marker creates problems for localizers.

My colleague Jesper Holmberg points out that the word in Swedish for "Owner" (which is what Administrator is called) in Windows® XP Home Edition is "Ägare". Unfortunately, that is one of those words that does not take a plural marker. Jesper’s workaround was to change the translation of "Owners" to "Ägaren". (You can read more on Jeppe's Weblog.)

So do you know the difference between Administrator and Administrators? Administrator is an account. If a permission or privilege is granted to Administrator, it can be done only by someone logged in with the Administrator account, that is, the account whose name defaults to Administrator (in English).

Administrators, on the other hand, is a group. If you are a member of the Administrators group of a machine, you have been granted administrator privileges on that machine. It is membership in the Administrators group that people refer to when they say things like "I’m an administrator on this machine." The use of an indefinite article ("an") as opposed to a definite article ("the") highlights that the user is just one of many administrators.

Things are more ambiguous when people say something like "I’m running as administrator." This could mean either they are running as the Administrator account or that they are running with an account that is a member of the Administrators group.

Once you understand this difference, it becomes clear why the user I mentioned earlier was unable to reassign ownership of the file. The user was logged on with an account that belongs to the Administrators group—but not with the Administrator account itself. Let’s call the user’s account "Bob." The SeTakeOwnershipPrivilege privilege is assigned to members of the Administrators group, allowing members of this group to assign ownership to themselves. However, this privilege does not let members assign ownership to somebody else. In this example, Bob could assign ownership of the file to Bob. But he is mistakenly trying to assign ownership to Administrator and since Bob is not the same as Administrator, the operation fails.

The user needs to log on with the Administrator account and take ownership of the files from there. In this case, the Administrator is assigning ownership to himself. (Alternatively, Bob could enable SeRestorePrivilege before setting the owner. This method is somewhat unorthodox, however, since SeRestorePrivilege is intended to be used by backup restore programs.)

When setting security descriptors, it is strongly recommended not to assign a right exclusively to the Administrator account. If you do, anybody who wants to exercise that right would have to log off from their normal account and log back on as the Administrator account.

A better practice is to assign the right to the Administrators group. This allows any member of the Administrators group to exercise the right without you having to give out any passwords.

Using the Security Descriptor Definition Language (SDDL) to build security descriptors translates into avoiding the LA (Local Administrator account) trustee in favor of the BA (Built-in Administrators group).

Of course, it’d be even better to avoid assigning the right to the Administrators group, because that scenario makes it impossible for the right to be delegated to a non-administrator. A better approach is to assign the right to a group, either an existing one (such as Backup Operators) or, ideally, a custom group created specifically for this purpose. This keeps to the Principle of Least Privilege: a user should be given only the privileges necessary to accomplish their task.

If you are developing a new securable object, define access masks for each operation (or class of operations) so that the system administrators can delegate operations to the right people without having to make them administrators. And, of course, remember that an administrator is not necessarily the Administrator.

Raymond Chen Raymond Chen’s Web site deals with Windows history and Win32 programming. His penmanship has been deteriorating since 1993, much to his chagrin.