Is Add User Limited to Admins Group?

[P. Fogg]

Can someone point me to a resource that diffinatively states whether the
ability to create users and groups is limited to the Admins Group and that
the permission to do so can not be assigned to another group?

I created a new group and assigned Administrate permissions (and all the
other ones) to all items, including the database. Users in this group have
no problem assigning permissions to items to existing users, but are unable
to create new users.

I need a reference to confirm that this is the expected behavior that I can
show a client.

Thanks

 

[TC]

I imagine (but have not tested) that any user or group who is granted
Administer permission on the database object, would be able to create
new users and groups. A user could be granted that permission without
being a member of the Admins group.

Try that out & see if it works. If it does, that would answer your
question conclusively. Post back here to say if it works.

HTH,
TC

 

[P. Fogg]

I have tried it and on Access 2000 SP 3a administrative permissions on the
database and all of its objects does not appear to be suffiecent to create
users. Membership in the admins group appears required. However, I can not
find this explicitly documented anywhere. Some knowledgebase articles seem
to imply this is the case, but I am looking for something explicit.

Thanks

 

[Jack MacDonald]

Quoting from p 374 of "Microsoft jet Database Engine Programmers
Guide" from Microsoft Press (1995, Jet ver 3)

The Admins group is designed to hold user accouts for people who are
true administrators of the workgroup. They manage user and group
membership and have the power to clear users' passwords.


Thats as close as I have seen to something stating that you must be a
member of Admins to manage the user accounts.



On Fri, 15 Apr 2005 22:09:02 -0700, "P. Fogg" <P.

I have tried it and on Access 2000 SP 3a administrative permissions on the
database and all of its objects does not appear to be suffiecent to create
users. Membership in the admins group appears required. However, I can not
find this explicitly documented anywhere. Some knowledgebase articles seem
to imply this is the case, but I am looking for something explicit.

Thanks

**********************
(e-mail address removed)
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security

 

[P. Fogg]

Thank you. That's pretty close. Does it indicate whether those powers can
be deligated to another group?

 

[Jeff Conrad]

in message:

I have tried it and on Access 2000 SP 3a administrative permissions on the
database and all of its objects does not appear to be suffiecent to create
users. Membership in the admins group appears required. However, I can not
find this explicitly documented anywhere. Some knowledgebase articles seem
to imply this is the case, but I am looking for something explicit.

Yes, most of the documentation just implies that you must be a member
of the Admins group. You'll see it in a lot of code comments as well:
' Must be a member of the Admins Group

It's just one of those things that is "known" by people that use Access User
Level Security. In addition to the quote that Jack was able to find, here
is another one that you can freely use:

"You must me a member of the Admins Group in order to create and manage
Users and Groups."
- - Jeff Conrad Access Junkie, April 16th, 2005

Will that work for your client?


As TC touched upon, you can allow non-Admins users the ability to manage
user accounts by "temporarily" giving them Admin-type rights for a split
second. You do this by creating a new temporary workspace of someone
who is a member of the Admins group. There is information on this subject
in the Security FAQ which you can find here:

http://support.microsoft.com/?kbid=207793

 

[P. Fogg]

Thanks for your help.

in message:


Yes, most of the documentation just implies that you must be a member
of the Admins group. You'll see it in a lot of code comments as well:
' Must be a member of the Admins Group

It's just one of those things that is "known" by people that use Access User
Level Security. In addition to the quote that Jack was able to find, here
is another one that you can freely use:

"You must me a member of the Admins Group in order to create and manage
Users and Groups."
- - Jeff Conrad Access Junkie, April 16th, 2005

Will that work for your client?


As TC touched upon, you can allow non-Admins users the ability to manage
user accounts by "temporarily" giving them Admin-type rights for a split
second. You do this by creating a new temporary workspace of someone
who is a member of the Admins group. There is information on this subject
in the Security FAQ which you can find here:

http://support.microsoft.com/?kbid=207793

 

[Jeff Conrad]

in message:

Thanks for your help.

You're welcome, good luck with your project.

I also noticed a small typo in my previous response, sorry.
The quote should look like this:

"You must be a member of the Admins Group in order to create and manage
Users and Groups."
- - Jeff Conrad Access Junkie, April 16th, 2005

 

[Jack MacDonald]

No it doesn't say.


On Sat, 16 Apr 2005 09:43:01 -0700, "P. Fogg" <P.

Thank you. That's pretty close. Does it indicate whether those powers can
be deligated to another group?

**********************
(e-mail address removed)
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security

 

[TC]

Jeff Conrad wrote:

(snip)

As TC touched upon, you can allow non-Admins users the ability to manage
user accounts by "temporarily" giving them Admin-type rights for a split
second. You do this by creating a new temporary workspace of someone
who is a member of the Admins group.

Jeff, that's not what I suggested. I suggested giving a
non-admins-group member, 'Administer' permission on the database
object.

It seems that no-one has a definitive reference for the OP's question


The fact that "members of the Admins group can create new users &
groups", does not logically imply that you *must* be a member of the
Admins group in order to do that. Logically speaking, it could still be
possible to delagate that permission to some other user or group. That
is what the OP asks. I would have thought 'yes', but everyone else is
saying 'no'.

I'll do some testing myself, & post back here within a few days. My aim
will be to create a user who is *not* a member of the Admins group, but
who *can* create new users & groups. This would definitively answer the
OP's question.

Cheers all,
TC

 

[Jeff Conrad]

in message:

Hi TC,

Jeff, that's not what I suggested. I suggested giving a
non-admins-group member, 'Administer' permission on the database
object.

Oh, I think you are right TC.
After re-reading more carefully, I think you are correct.
I plead old age on that one.

It seems that no-one has a definitive reference for the OP's question

I actually did some digging in several resources I have, and to be
honest I could not find anything with a definite answer.

The fact that "members of the Admins group can create new users &
groups", does not logically imply that you *must* be a member of the
Admins group in order to do that. Logically speaking, it could still be
possible to delagate that permission to some other user or group. That
is what the OP asks. I would have thought 'yes', but everyone else is
saying 'no'.

I still think 'No' myself, but I have not done any extensive testing in that
area myself. I would be happy to be proven wrong.

I'll do some testing myself, & post back here within a few days. My aim
will be to create a user who is *not* a member of the Admins group, but
who *can* create new users & groups. This would definitively answer the
OP's question.

Looking forward to your conclusions.

 

[TC]

Jeff Conrad wrote:

(snip)

I plead old age on that one

Jeff, there's no way you can beat me on that particular criterion !!!!

Looking forward to your conclusions.

Here is what I found.

1. I created a new user (through the user interface) & checked that he
was not a member of the Admins group. The new user can not create new
users - as expected.

2. I gave that user Administer permission to the Database object. He
still could not create new users. So much for that idea.

3. I then ran the following code, which gives the user *every grantable
permission* to the database, and every object within it:

dim con as container, doc as document
for each con in dbengine(0)(0).containers
con.username = "test_user"
con.permissions = &hffffffff
for each doc in con.documents
doc.username = "test_user"
doc.permissions = &hffffffff
next
next

*Still* he could not add new users!

4. Then I added the user to the Admins group. Now he was able to add
new users.

To my mind, steps 3. and 4. - taken together - confirm (by
demonstration) that you must be a member of the Admins group before you
can create new users; and that this permission can not be granted to
other users who are not members of that group.

Cheers,
TC

 

[TC]

Definitvely answered in my last post dated Apr 17 in this thread.

 

[Jeff Conrad]

in message:

Jeff, there's no way you can beat me on that particular criterion !!!!

I'm right behind you TC!

Here is what I found.

1. I created a new user (through the user interface) & checked that he
was not a member of the Admins group. The new user can not create new
users - as expected.

2. I gave that user Administer permission to the Database object. He
still could not create new users. So much for that idea.

3. I then ran the following code, which gives the user *every grantable
permission* to the database, and every object within it:

dim con as container, doc as document
for each con in dbengine(0)(0).containers
con.username = "test_user"
con.permissions = &hffffffff
for each doc in con.documents
doc.username = "test_user"
doc.permissions = &hffffffff
next
next

*Still* he could not add new users!

4. Then I added the user to the Admins group. Now he was able to add
new users.

To my mind, steps 3. and 4. - taken together - confirm (by
demonstration) that you must be a member of the Admins group before you
can create new users; and that this permission can not be granted to
other users who are not members of that group.

Well I think that pretty much seals the deal there on this issue.
Excellent investigative work TC.
Case closed.

 

[Jack MacDonald]

[snip]

To my mind, steps 3. and 4. - taken together - confirm (by
demonstration) that you must be a member of the Admins group before you
can create new users; and that this permission can not be granted to
other users who are not members of that group.

This confirms what was written, albeit ambiguously, in the passage
that I quoted earlier. Thanks for the clear demonstration.



**********************
(e-mail address removed)
remove uppercase letters for true email
http://www.geocities.com/jacksonmacd/ for info on MS Access security

 

[david epsom dot com dot au]

I agree with you.

(1a) 'Administer the database' allows you permission
to do things to the database file, like changing
the start properties of the database.

(1b) 'Administer the database' does not give you
permission to administer security.

(1c) Being a member of the original Admins Group of
a database is required to change database security
settings for a group or user

(1d) Being a member of the current Admins Group is
required to create a user or move a user into or
out of a Group.

(2) I've never seen any clear documentation that my
opinion is correct.

(david)