"Kurt Buff" <[EMAIL PROTECTED]> wrote on 09/08/2008 01:21:20 PM:
> On Mon, Sep 8, 2008 at 7:57 AM, <[EMAIL PROTECTED]> wrote: > > > > KenM <[EMAIL PROTECTED]> wrote on 09/05/2008 09:32:53 PM: > > > >> Also why are you taking ownership, If these folders were created > >> using the users home drive path in ADUC then the local admins should > >> have access and your can just run the script as a users who is in > >> the local admins group. > > > > Well, no. The only accounts with access (usually) are the user. Local admins > > removed from security at upper level (i.e., E:\Users), and no inheritence > > for sub-folders specified. Otherwise, anyone who is a local admin (such as a > > Domain Admin) could access any files, and that's a No-No. :-) > > Nice script! Thanks! > However, it's futile to try to deny access to local/domain admins - > they can get at it anyway, and it just makes administering that much > harder. That's what I think. But then, I only work here. :-) This way, taking ownership shows up in the log, so there's a record. And if there is no log, that, too, is a clue. > I set up home drives with local administrators full control, > the individual user with change control, and let it go. Life is much > simpler that way. That's how I had it at my old place, yes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~