Re: only read admin rights

[Brad Arlt <arlt () cpsc ucalgary ca>]

On Fri, Oct 25, 2002 at 11:31:11PM -0000, christian mathieu wrote:
> Hello, 
>
> I would like to know if there is a way to create an account on a win2K 
> machine, that has admin rights to be able to look anywhere in the machine, 
> but could not modify anything. The goals is to allow some admins to look 
> at how we secure the box without giving "real" admin passwords

You will have to make a user Administrator then hit the custom button,
and start clicking.

While I have never tried this, it should be possible.  I have made a
user with more access rights than Administrator, which says that
Administrator is prevented from doing things; I'd argue why not just
prevent it a little more?

One thing I will point out is, if they can read anything and
everything, they may be able to use that information to gain real
Administrator access.  Well, now that I think about... they *can* use
this access to gain administrator.  Explict action on their part would
be needed, but that is all (IOW they can't do it by clicking to fast
in MineSweeper).

If this doesn't phase you, then go for it.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         I should be biking right now.   Computer Science