Can't really remove Users group access

From: Catfish (catfish.usenet_at_catfish.homeip.net)
Date: 06/05/03 

Date: Thu, 5 Jun 2003 00:27:24 -0400

    I been playing with services like Bind9 and Apache on Win2k Pro (stand
alone). One of the things I am attempting to do is move these services from
the LocalSystem to newly created users (like "DNS"). I also created a new
Group called "Servers" and made "DNS" part of the Server group but removed
it from the Users group. I've played with user ntfs permissions before but
this would be the first time I've played with groups. All the servers are
installed and its data is located under c:\servers\ so I wanted to only
allow them access there (except their profiles and what ever else is
requried)
    Since I removed DNS from the Users group and ntfs acls have no record of
a Servers group nor a DNS user (except it's profile) and it's not part of
Users anymore. I would have though that I have to setup NTFS access for this
user/group. What I found out was that it has access to any folder that the
User's group did.
    Did I miss a local/group policy or something like that? Is it assumed
all groups has User access? Should I then use Deny acl's for security (since
it's better to allow access when needed then deny, I would want to avoid
this). Since I plan to use this as a standalone server I don't really need
the Users group, but would prefer to keep them seperate so I don't have to
use admin access to do most admin duties.

....

    I just tried WhoamI.exe /groups and it reports:

[Group 1] = "COMPNAME\None"
[Group 2] = "Everyone"
[Group 3] = "COMPNAME\Servers"
[Group 4] = "BUILTIN\Users"
[Group 5] = "NT AUTHORITY\INTERACTIVE"
[Group 6] = "NT AUTHORITY\Authenticated Users"

    So it appears that even though I removed this user from the USERS group
it's still a in it.

Any thoughts? thanks

Relevant Pages

  • Re: Help SMPT Errors
    ... FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your ... it may mean that your DNS servers did not respond fast enough). ... INFO NS records at parent servers Your NS records at the parent servers ... PASS Parent nameservers have your nameservers listed OK. ...
    (microsoft.public.exchange.admin)
  • Re: Windows 2000 logon process
    ... Paul Williams ... when clients are accessing the GPO stored in SYSVOL during logon. ... PW>> Sound's like - that's a combination of DNS and Dfs client pointing ... Global Catalogue servers? ...
    (microsoft.public.win2000.active_directory)
  • Re: Replication issues
    ... I wanted to say Zone Transfers not Zone Forwarding. ... on 2 servers out of 4 DNS servers. ... DNS and 2003 DNS and how to set up Conditional Forwarding. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... You already have 80% of the work setup (DNS Aliases and HostHeaders) on the ... domain accounts (one for each layer) should be sufficient. ... The Application Servers are load balanced clustered, ... as the account name and SPN alias is correctly defined on both nodes. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ad and dns setup
    ... "Jorge Silva" wrote: ... domain It gave me 2 errors, no dns servers have dns records for this dc ... error no logon servers.. ... Make sure that the _msdcs zone exists and the scope is set ...
    (microsoft.public.windows.server.active_directory)