Re: Default Permissions
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 12/23/04
- Next message: John Blaustein: "SonicWALL/cable Internet/dynamic IP configuration help needed"
- Previous message: Lanwench [MVP - Exchange]: "Re: Can wildcards be used for sites in the Restricted Sites settings i"
- In reply to: Jarno: "Default Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Dec 2004 14:50:05 -0700
When you look at the generalized view in the ACL editor you see only
ACEs that have flags set so that it will apply to
"This folder, subfolders, and files"
When you look using the advanced view you see all ACEs in the ACL
(at least for NTFS objects).
Users has a grant of read/execute that is a generic read, for this
folder (where the ACL is), subfolders and files. This means it is
inherited on down to anywhere within that does not block inheritance.
The other two ACEs that you see grant folder only permissions, and
carry no permissions on the contained files.
One allows Users members to create new folders in the folder with
the ACL (at the root of the drive if we speak of a new partition), and
the other allows Users members to create new files within subfolders
of the one holding the ACL.
Once a Users group member has exercised these abilities to create
a new object, then the generic grant to Creator Owner allows that
account to have full control over what it has created.
For many purposes these are rather reasonable settings, but for
others they are not. Remember defaults are just that, defaults.
It is not possible to prescribe something that is correct for all
circumstances. If you feel you have different needs, then yes, you
are supposed to set the ACLing to fit your needs. However, be
very careful that you understand what you are doing when you
modify the ACLing on the boot partition (the one containing the
Windows directory).
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4 "Jarno" <Jarno@discussions.microsoft.com> wrote in message news:7957D368-D179-424E-AE61-6FE83C058BC6@microsoft.com... > Hi! > > Can someone explain why the default permissions in every harddrives and > partitions in Windows 2003 Server look like they do? For example if you > look > at advanced settings on security the "Users" group will appear with three > different settings. And what is the reason to put the "System" group > there. > We feel like we want to remove all the default security and only leave the > Administrators as default with full control and then add the permission we > need in the subfolders.
- Next message: John Blaustein: "SonicWALL/cable Internet/dynamic IP configuration help needed"
- Previous message: Lanwench [MVP - Exchange]: "Re: Can wildcards be used for sites in the Restricted Sites settings i"
- In reply to: Jarno: "Default Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
