Forum Discussion

matgus's avatar
matgus
Copper Contributor
Sep 19, 2022

Owner information replaced after synchronization in Onedrive for Business

can someone please explain why this works?
- we a group of admins that have, or can gain, local admin priviledges on windows PC's in the network.

- an admin connects to an Endusers PC by C$. Finds the Onedrive for business folder under the userprofile folder. Since connecting to C$ there is no prompt for him to get access, it just opens.

- the admin changes a file locally on the computer, in (C$\users\Enduser\Onedrive ....).

- When the user, from the webclient, checks the file in OneDrive for business (or SharePoint) the file  shows the Enduser as the owner and last change of the file. Not the admin who changed the file.

I am guessing the the synchronizing enginge is the one writing the attribute in SharePoint making this the Enduser identity. But how is this possible without a warning or a trace somewhere?


 

  • MikeWWW's avatar
    MikeWWW
    Iron Contributor
    The OneDrive sync client is running as the Enduser. I you want a synced file to show as changed by the Admin (in your unexplained but suspicious scenario) then change a shared file in the Admin's account.

    You're mixing network file sharing and cloud syncing. What warning are you expecting, and where?
    • matgus's avatar
      matgus
      Copper Contributor
      Well, suspicious indeed!
      Let's say we get a rouge admin and he delets all files from our ceo's ondrive. No one would ever know who did this. If I (as an admin) try the same, logged in as admin locally and then if I try to open another users folder I would get a prompt saying I does not have access, If I assign myself access this is logged. But when I connect over the network to \\computer\c$ there is no prompt and no logs of this action. This means the admin can add, remove or change any item in any local user folder, have it synchronized to OneDrive or SharePoint without a trace. The poor enduser gets the blame.

      So at least that the prompts would be consistent and that the ability to log this action the same way as if logged on locally would be good. (without having to enable file auditing on all files for all my computers)
      • MikeWWW's avatar
        MikeWWW
        Iron Contributor
        A rogue admin can do more extensive damage without doing this. If your organisation doesn't have backups or properly implemented ISMS controls then rogue admins can do bad stuff for a long time. OneDrive/SharePoint is *not* a backup in the way that file/disk snapshots are.

Resources