|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Is Add User Limited to Admins Group?Can someone point me to a resource that diffinatively states whether the
ability to create users and groups is limited to the Admins Group and that the permission to do so can not be assigned to another group? I created a new group and assigned Administrate permissions (and all the other ones) to all items, including the database. Users in this group have no problem assigning permissions to items to existing users, but are unable to create new users. I need a reference to confirm that this is the expected behavior that I can show a client. Thanks I imagine (but have not tested) that any user or group who is granted
Administer permission on the database object, would be able to create new users and groups. A user could be granted that permission without being a member of the Admins group. Try that out & see if it works. If it does, that would answer your question conclusively. Post back here to say if it works. HTH, TC I have tried it and on Access 2000 SP 3a administrative permissions on the
database and all of its objects does not appear to be suffiecent to create users. Membership in the admins group appears required. However, I can not find this explicitly documented anywhere. Some knowledgebase articles seem to imply this is the case, but I am looking for something explicit. Thanks Show quoteHide quote "TC" wrote: > I imagine (but have not tested) that any user or group who is granted > Administer permission on the database object, would be able to create > new users and groups. A user could be granted that permission without > being a member of the Admins group. > > Try that out & see if it works. If it does, that would answer your > question conclusively. Post back here to say if it works. > > HTH, > TC > > Quoting from p 374 of "Microsoft jet Database Engine Programmers
Guide" from Microsoft Press (1995, Jet ver 3) The Admins group is designed to hold user accouts for people who are true administrators of the workgroup. They manage user and group membership and have the power to clear users' passwords. Thats as close as I have seen to something stating that you must be a member of Admins to manage the user accounts. On Fri, 15 Apr 2005 22:09:02 -0700, "P. Fogg" <P. F***@discussions.microsoft.com> wrote: Show quoteHide quote >I have tried it and on Access 2000 SP 3a administrative permissions on the **********************>database and all of its objects does not appear to be suffiecent to create >users. Membership in the admins group appears required. However, I can not >find this explicitly documented anywhere. Some knowledgebase articles seem >to imply this is the case, but I am looking for something explicit. > >Thanks > >"TC" wrote: > >> I imagine (but have not tested) that any user or group who is granted >> Administer permission on the database object, would be able to create >> new users and groups. A user could be granted that permission without >> being a member of the Admins group. >> >> Try that out & see if it works. If it does, that would answer your >> question conclusively. Post back here to say if it works. >> >> HTH, >> TC >> >> jackmacMACdon***@telusTELUS.net remove uppercase letters for true email http://www.geocities.com/jacksonmacd/ for info on MS Access security Thank you. That's pretty close. Does it indicate whether those powers can
be deligated to another group? Show quoteHide quote "Jack MacDonald" wrote: > Quoting from p 374 of "Microsoft jet Database Engine Programmers > Guide" from Microsoft Press (1995, Jet ver 3) > > The Admins group is designed to hold user accouts for people who are > true administrators of the workgroup. They manage user and group > membership and have the power to clear users' passwords. > > > Thats as close as I have seen to something stating that you must be a > member of Admins to manage the user accounts. > > > > On Fri, 15 Apr 2005 22:09:02 -0700, "P. Fogg" <P. > F***@discussions.microsoft.com> wrote: > > >I have tried it and on Access 2000 SP 3a administrative permissions on the > >database and all of its objects does not appear to be suffiecent to create > >users. Membership in the admins group appears required. However, I can not > >find this explicitly documented anywhere. Some knowledgebase articles seem > >to imply this is the case, but I am looking for something explicit. > > > >Thanks > > > >"TC" wrote: > > > >> I imagine (but have not tested) that any user or group who is granted > >> Administer permission on the database object, would be able to create > >> new users and groups. A user could be granted that permission without > >> being a member of the Admins group. > >> > >> Try that out & see if it works. If it does, that would answer your > >> question conclusively. Post back here to say if it works. > >> > >> HTH, > >> TC > >> > >> > > > ********************** > jackmacMACdon***@telusTELUS.net > remove uppercase letters for true email > http://www.geocities.com/jacksonmacd/ for info on MS Access security > No it doesn't say.
On Sat, 16 Apr 2005 09:43:01 -0700, "P. Fogg" <P. F***@discussions.microsoft.com> wrote: Show quoteHide quote >Thank you. That's pretty close. Does it indicate whether those powers can **********************>be deligated to another group? > > > >"Jack MacDonald" wrote: > >> Quoting from p 374 of "Microsoft jet Database Engine Programmers >> Guide" from Microsoft Press (1995, Jet ver 3) >> >> The Admins group is designed to hold user accouts for people who are >> true administrators of the workgroup. They manage user and group >> membership and have the power to clear users' passwords. >> >> >> Thats as close as I have seen to something stating that you must be a >> member of Admins to manage the user accounts. >> >> >> >> On Fri, 15 Apr 2005 22:09:02 -0700, "P. Fogg" <P. >> F***@discussions.microsoft.com> wrote: >> >> >I have tried it and on Access 2000 SP 3a administrative permissions on the >> >database and all of its objects does not appear to be suffiecent to create >> >users. Membership in the admins group appears required. However, I can not >> >find this explicitly documented anywhere. Some knowledgebase articles seem >> >to imply this is the case, but I am looking for something explicit. >> > >> >Thanks >> > >> >"TC" wrote: >> > >> >> I imagine (but have not tested) that any user or group who is granted >> >> Administer permission on the database object, would be able to create >> >> new users and groups. A user could be granted that permission without >> >> being a member of the Admins group. >> >> >> >> Try that out & see if it works. If it does, that would answer your >> >> question conclusively. Post back here to say if it works. >> >> >> >> HTH, >> >> TC >> >> >> >> >> >> >> ********************** >> jackmacMACdon***@telusTELUS.net >> remove uppercase letters for true email >> http://www.geocities.com/jacksonmacd/ for info on MS Access security >> jackmacMACdon***@telusTELUS.net remove uppercase letters for true email http://www.geocities.com/jacksonmacd/ for info on MS Access security "P. Fogg" wrote in message:
news:355E626F-9E6D-415D-BA2C-055D081C9B14@microsoft.com... Yes, most of the documentation just implies that you must be a member> I have tried it and on Access 2000 SP 3a administrative permissions on the > database and all of its objects does not appear to be suffiecent to create > users. Membership in the admins group appears required. However, I can not > find this explicitly documented anywhere. Some knowledgebase articles seem > to imply this is the case, but I am looking for something explicit. of the Admins group. You'll see it in a lot of code comments as well: ' Must be a member of the Admins Group It's just one of those things that is "known" by people that use Access User Level Security. In addition to the quote that Jack was able to find, here is another one that you can freely use: "You must me a member of the Admins Group in order to create and manage Users and Groups." - - Jeff Conrad Access Junkie, April 16th, 2005 Will that work for your client? :-) As TC touched upon, you can allow non-Admins users the ability to manageuser accounts by "temporarily" giving them Admin-type rights for a split second. You do this by creating a new temporary workspace of someone who is a member of the Admins group. There is information on this subject in the Security FAQ which you can find here: http://support.microsoft.com/?kbid=207793 -- Jeff Conrad Access Junkie Bend, Oregon Thanks for your help.
Show quoteHide quote "Jeff Conrad" wrote: > "P. Fogg" wrote in message: > news:355E626F-9E6D-415D-BA2C-055D081C9B14@microsoft.com... > > > I have tried it and on Access 2000 SP 3a administrative permissions on the > > database and all of its objects does not appear to be suffiecent to create > > users. Membership in the admins group appears required. However, I can not > > find this explicitly documented anywhere. Some knowledgebase articles seem > > to imply this is the case, but I am looking for something explicit. > > Yes, most of the documentation just implies that you must be a member > of the Admins group. You'll see it in a lot of code comments as well: > ' Must be a member of the Admins Group > > It's just one of those things that is "known" by people that use Access User > Level Security. In addition to the quote that Jack was able to find, here > is another one that you can freely use: > > "You must me a member of the Admins Group in order to create and manage > Users and Groups." > - - Jeff Conrad Access Junkie, April 16th, 2005 > > Will that work for your client? > :-) > > As TC touched upon, you can allow non-Admins users the ability to manage > user accounts by "temporarily" giving them Admin-type rights for a split > second. You do this by creating a new temporary workspace of someone > who is a member of the Admins group. There is information on this subject > in the Security FAQ which you can find here: > > http://support.microsoft.com/?kbid=207793 > > -- > Jeff Conrad > Access Junkie > Bend, Oregon > > > "P. Fogg" wrote in message:
news:BCEA74F5-2049-4706-927D-45A978BCD088@microsoft.com... You're welcome, good luck with your project.> Thanks for your help. I also noticed a small typo in my previous response, sorry. The quote should look like this: "You must be a member of the Admins Group in order to create and manage Users and Groups." - - Jeff Conrad Access Junkie, April 16th, 2005 -- Jeff Conrad Access Junkie Bend, Oregon Jeff Conrad wrote:
(snip) > As TC touched upon, you can allow non-Admins users the ability to Jeff, that's not what I suggested. I suggested giving amanage > user accounts by "temporarily" giving them Admin-type rights for a split > second. You do this by creating a new temporary workspace of someone > who is a member of the Admins group. non-admins-group member, 'Administer' permission on the database object. It seems that no-one has a definitive reference for the OP's question :-) The fact that "members of the Admins group can create new users &groups", does not logically imply that you *must* be a member of the Admins group in order to do that. Logically speaking, it could still be possible to delagate that permission to some other user or group. That is what the OP asks. I would have thought 'yes', but everyone else is saying 'no'. I'll do some testing myself, & post back here within a few days. My aim will be to create a user who is *not* a member of the Admins group, but who *can* create new users & groups. This would definitively answer the OP's question. Cheers all, TC "TC" wrote in message:
news:1113722588.099318.277730@g14g2000cwa.googlegroups.com... Hi TC,> Jeff, that's not what I suggested. I suggested giving a Oh, I think you are right TC.> non-admins-group member, 'Administer' permission on the database > object. After re-reading more carefully, I think you are correct. I plead old age on that one. :-) I actually did some digging in several resources I have, and to be> It seems that no-one has a definitive reference for the OP's question > :-) honest I could not find anything with a definite answer. > The fact that "members of the Admins group can create new users & I still think 'No' myself, but I have not done any extensive testing in that> groups", does not logically imply that you *must* be a member of the > Admins group in order to do that. Logically speaking, it could still be > possible to delagate that permission to some other user or group. That > is what the OP asks. I would have thought 'yes', but everyone else is > saying 'no'. area myself. I would be happy to be proven wrong. > I'll do some testing myself, & post back here within a few days. My aim Looking forward to your conclusions.> will be to create a user who is *not* a member of the Admins group, but > who *can* create new users & groups. This would definitively answer the > OP's question. -- Jeff Conrad Access Junkie Bend, Oregon Jeff Conrad wrote:
(snip) > I plead old age on that one :-) Jeff, there's no way you can beat me on that particular criterion !!!!> Looking forward to your conclusions. Here is what I found.1. I created a new user (through the user interface) & checked that he was not a member of the Admins group. The new user can not create new users - as expected. 2. I gave that user Administer permission to the Database object. He still could not create new users. So much for that idea. 3. I then ran the following code, which gives the user *every grantable permission* to the database, and every object within it: dim con as container, doc as document for each con in dbengine(0)(0).containers con.username = "test_user" con.permissions = &hffffffff for each doc in con.documents doc.username = "test_user" doc.permissions = &hffffffff next next *Still* he could not add new users! 4. Then I added the user to the Admins group. Now he was able to add new users. To my mind, steps 3. and 4. - taken together - confirm (by demonstration) that you must be a member of the Admins group before you can create new users; and that this permission can not be granted to other users who are not members of that group. Cheers, TC "TC" wrote in message:
news:1113796757.125588.114620@g14g2000cwa.googlegroups.com... I'm right behind you TC!> Jeff, there's no way you can beat me on that particular criterion !!!! Show quoteHide quote > Here is what I found. Well I think that pretty much seals the deal there on this issue.> > 1. I created a new user (through the user interface) & checked that he > was not a member of the Admins group. The new user can not create new > users - as expected. > > 2. I gave that user Administer permission to the Database object. He > still could not create new users. So much for that idea. > > 3. I then ran the following code, which gives the user *every grantable > permission* to the database, and every object within it: > > dim con as container, doc as document > for each con in dbengine(0)(0).containers > con.username = "test_user" > con.permissions = &hffffffff > for each doc in con.documents > doc.username = "test_user" > doc.permissions = &hffffffff > next > next > > *Still* he could not add new users! > > 4. Then I added the user to the Admins group. Now he was able to add > new users. > > To my mind, steps 3. and 4. - taken together - confirm (by > demonstration) that you must be a member of the Admins group before you > can create new users; and that this permission can not be granted to > other users who are not members of that group. Excellent investigative work TC. Case closed. -- Jeff Conrad Access Junkie Bend, Oregon On 17 Apr 2005 20:59:17 -0700, "TC" <aatcbbtcc***@yahoo.com> wrote: [snip]>To my mind, steps 3. and 4. - taken together - confirm (by This confirms what was written, albeit ambiguously, in the passage>demonstration) that you must be a member of the Admins group before you >can create new users; and that this permission can not be granted to >other users who are not members of that group. that I quoted earlier. Thanks for the clear demonstration. ********************** jackmacMACdon***@telusTELUS.net remove uppercase letters for true email http://www.geocities.com/jacksonmacd/ for info on MS Access security I agree with you.
(1a) 'Administer the database' allows you permission to do things to the database file, like changing the start properties of the database. (1b) 'Administer the database' does not give you permission to administer security. (1c) Being a member of the original Admins Group of a database is required to change database security settings for a group or user (1d) Being a member of the current Admins Group is required to create a user or move a user into or out of a Group. (2) I've never seen any clear documentation that my opinion is correct. (david) Show quoteHide quote "P. Fogg" <P. F***@discussions.microsoft.com> wrote in message news:355E626F-9E6D-415D-BA2C-055D081C9B14@microsoft.com... >I have tried it and on Access 2000 SP 3a administrative permissions on the > database and all of its objects does not appear to be suffiecent to create > users. Membership in the admins group appears required. However, I can > not > find this explicitly documented anywhere. Some knowledgebase articles > seem > to imply this is the case, but I am looking for something explicit. > > Thanks > > "TC" wrote: > >> I imagine (but have not tested) that any user or group who is granted >> Administer permission on the database object, would be able to create >> new users and groups. A user could be granted that permission without >> being a member of the Admins group. >> >> Try that out & see if it works. If it does, that would answer your >> question conclusively. Post back here to say if it works. >> >> HTH, >> TC >> >> |
|||||||||||||||||||||||
Other interesting topics