@MarcB said:
@m0ffx said:
He was running as the Admin at home, and still couldn't
delete the file owned by the Admin at work. If you or anyone thinks
that is desirable behaviour, then you at the very least have a concept
of what 'Admin' means that is vastly different to mine.
@m0ffx said:
When the file owned by the domain admin is on a storage device (USB in this case, but it could just as well be an internal drive) which is then connected to a different computer that is not on the domain.
I come from a Linux background; my expectation is that local root/admin has full control over devices connected to the local machine. I would not expect local root to have full control over network shares, but that is not what we are talking about.
Yes, but that's because Unix/Linux file ownership is a very simplistic affair. A file owned by root is UID 0, and it's the same UID 0 on pretty much every other Unix system out there. A zero here is a zero there is a zero everywhere. Ownership data on a Windows/NTFS system is totally different. It's not stored as your "simple" ID number, whatever number your account happens to have. It's stored as a hash of your ID number, AND the ID number of your system. If the machine in question is part of a domain, then that system ID number is constant across all systems in the domain. In other words, an Admin account isn't creating a file with the Windows equivalent of UID 0. It's creating "0+long random number".
Your home machine's Admin account will essentially NEVER have the same unique user ID bits that the Admin accounts on (theoretically) every other Domain or system in the universe have.
That much is sensible and reasonable, and I'd sort of figured out it was the case.
So why couldn't the home Admin account delete the file created by the work Admin account? Because "Admin/Local Machine" has a different set of ID bits on the disk than "Admin/Work Machine" does.
That much is not what I expect. What I expect is that Admin/Any machine completely ignores who owns the file or what the permissions are! Evidently this is not how Windows does things; one can debated whether or not it is desirable, but...
That being said, you CAN use your local Admin account to force an ownership takeover of any of these files. It's exactly the same as chown on Unix boxes. The original ownership bits are replaced with whatever you want. In this case, it'd be replacing 'Administrator/m0ffx Work System ID" with "Administrator/m0ffx Home Box". Still Administrator account name, but now with your home system's ID bits as well.Try it sometime... take an NTFS drive from one machine, and stick it into another (let's not cheat and used two machines ghosted/cloned from a common source). See how far you can get accessing/modifying files on that "foreign" drive without having to force changes in ownership.
So, I can't delete a file even though I'm Admin/m0ffx Home Box, because I don't own it. But I can take ownership of it, and then I can delete it! I'm sorry, but What. The. Fuck. It's a bit like having the only key to a door, but anyone can change the lock barrel to one that takes their key. It doesn't actually do anything except put an extra step in the process of getting in, or of deleting a file.