Forum Discussion
Owner information replaced after synchronization in Onedrive for Business
can someone please explain why this works? - we a group of admins that have, or can gain, local admin priviledges on windows PC's in the network. - an admin connects to an Endusers PC by C$. Finds ...
Well, suspicious indeed!
Let's say we get a rouge admin and he delets all files from our ceo's ondrive. No one would ever know who did this. If I (as an admin) try the same, logged in as admin locally and then if I try to open another users folder I would get a prompt saying I does not have access, If I assign myself access this is logged. But when I connect over the network to \\computer\c$ there is no prompt and no logs of this action. This means the admin can add, remove or change any item in any local user folder, have it synchronized to OneDrive or SharePoint without a trace. The poor enduser gets the blame.
So at least that the prompts would be consistent and that the ability to log this action the same way as if logged on locally would be good. (without having to enable file auditing on all files for all my computers)
Let's say we get a rouge admin and he delets all files from our ceo's ondrive. No one would ever know who did this. If I (as an admin) try the same, logged in as admin locally and then if I try to open another users folder I would get a prompt saying I does not have access, If I assign myself access this is logged. But when I connect over the network to \\computer\c$ there is no prompt and no logs of this action. This means the admin can add, remove or change any item in any local user folder, have it synchronized to OneDrive or SharePoint without a trace. The poor enduser gets the blame.
So at least that the prompts would be consistent and that the ability to log this action the same way as if logged on locally would be good. (without having to enable file auditing on all files for all my computers)
A rogue admin can do more extensive damage without doing this. If your organisation doesn't have backups or properly implemented ISMS controls then rogue admins can do bad stuff for a long time. OneDrive/SharePoint is *not* a backup in the way that file/disk snapshots are.
- Yes, but beside my point. We do backup all SharePoint and OneDrive data.
Our Helpdesk admins only have access to local PC's, not any other resources (as admins). But this will create a shortcut into accessing data that they normally would not have access to. At least not by default. And if they did change something it is without any trace.
The Admin could place a malicious PDF-file on in a SharePoint library and the Enduser would get "blamed" for it.- An admin can do the same thing on a restricted network file share. They might suspend audit controls or a thousand other things. They have powerful access, and that is why IT admins are positions of trust. ISMS resources have a lot to say about malicious insiders.
- No argument here. In the world of Tiering and Priviledged access I just want to know who changed a file.