Owner information replaced after synchronization in Onedrive for Business

Copper Contributor

can someone please explain why this works?
- we a group of admins that have, or can gain, local admin priviledges on windows PC's in the network.

- an admin connects to an Endusers PC by C$. Finds the Onedrive for business folder under the userprofile folder. Since connecting to C$ there is no prompt for him to get access, it just opens.

- the admin changes a file locally on the computer, in (C$\users\Enduser\Onedrive ....).

- When the user, from the webclient, checks the file in OneDrive for business (or SharePoint) the file  shows the Enduser as the owner and last change of the file. Not the admin who changed the file.

I am guessing the the synchronizing enginge is the one writing the attribute in SharePoint making this the Enduser identity. But how is this possible without a warning or a trace somewhere?


 

8 Replies
The OneDrive sync client is running as the Enduser. I you want a synced file to show as changed by the Admin (in your unexplained but suspicious scenario) then change a shared file in the Admin's account.

You're mixing network file sharing and cloud syncing. What warning are you expecting, and where?
Well, suspicious indeed!
Let's say we get a rouge admin and he delets all files from our ceo's ondrive. No one would ever know who did this. If I (as an admin) try the same, logged in as admin locally and then if I try to open another users folder I would get a prompt saying I does not have access, If I assign myself access this is logged. But when I connect over the network to \\computer\c$ there is no prompt and no logs of this action. This means the admin can add, remove or change any item in any local user folder, have it synchronized to OneDrive or SharePoint without a trace. The poor enduser gets the blame.

So at least that the prompts would be consistent and that the ability to log this action the same way as if logged on locally would be good. (without having to enable file auditing on all files for all my computers)
A rogue admin can do more extensive damage without doing this. If your organisation doesn't have backups or properly implemented ISMS controls then rogue admins can do bad stuff for a long time. OneDrive/SharePoint is *not* a backup in the way that file/disk snapshots are.
Yes, but beside my point. We do backup all SharePoint and OneDrive data.
Our Helpdesk admins only have access to local PC's, not any other resources (as admins). But this will create a shortcut into accessing data that they normally would not have access to. At least not by default. And if they did change something it is without any trace.
The Admin could place a malicious PDF-file on in a SharePoint library and the Enduser would get "blamed" for it.
An admin can do the same thing on a restricted network file share. They might suspend audit controls or a thousand other things. They have powerful access, and that is why IT admins are positions of trust. ISMS resources have a lot to say about malicious insiders.
No argument here. In the world of Tiering and Priviledged access I just want to know who changed a file.
Then it's up to your organisation to provide audit trails through access logs. Consider not using disk shares but terminal sessions (e.g. TeamViewer) where access consent is given by the end user.

If your preference is to provide unlogged back doors then you need to acknowledge these as accepted risks in your ISMS.