Re: Is every user a member of Users?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 01/04/05 

Date: Tue, 04 Jan 2005 03:32:31 GMT

The fact that a user can not be removed from the user group is probably to
prevent denial of service attacks against the operating system similar in a
way that the built in administrator account can not be removed from the
local administrators group.

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy to restrict the
user. It is more difficult to use Group Policy to lockdown a user/group on a
stand alone computer though as by default Group Policy applies to all local
users though there are hacks that can change the to exempt local users from
Group Policy. For instance you may be able to use Local Group Policy -
gpedit.msc and restrict the user via user configuration/administrative
tools/system where you can configure the setting for allowed Windows
applications. If left blank the user will only be able to logon to the
operating system and nothing else until you populate the allowed application
list which may be harder than expected as some applications depend on other
executables to run though filemon from SysInternals would be very helpful in
sorting that out. The guest account in Windows 2000 also will not save the
guest user profile when the guest logs off. --- Steve

http://www.jsiinc.com/sube/tip2400/rh2492.htm -- filtering local Group
Policy.

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:yhvaIKBgTf2BFArC@dessergroup.onetel.co.uk...
> In article <x5mCd.20234$wu4.14984@attbi_s52>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 01:14:05 writes
>
>>Yes. Anyone who logs on locally for instance is a member of the
>>authenticated users group which is a member of the users group. Use the "
>>net localgroup users " to see that and use the gpresult support tool to
>>see all the groups that a user is a member of.
>
> At least that makes a bit more sense - see below
>
>> Always be extremely carefully when configuring deny user rights when
>> adding the users or everyone groups. Exactly what are you trying to
>> secure?
>
> I was trying to secure a stand alone W2K Pro PC so that a guest could
> browse the web and play some mp3 files but nothing else.
>
> I created a Visitors group and a Visitor user to be its member (rather
> then using Gusts/Guest) and Visitor was not a member of Users and
> nevertheless Visitor could go anywhere until I removed all permissions for
> Users.
>
> I cannot understand having such a security model where Users/User exist
> and are granted permissions by default, but if membership of Users is
> removed from a user it is STILL a member of Users.
>
> If Users is something special then it should not be possible to assign a
> user explicitly to the Users group - something that is done all over the
> place by default.
>
> You live and learn - thanks for the quick response. I see bringing
> knowledge of a security model from elsewhere to Windows may be dangerous.
>
> I will pass your response on grc.techtalk where I have come from to get
> this sorted.
>
> Thanks again.
> --
> Les Desser
> (The Reply-to address IS valid)

Relevant Pages

  • Re: applying group policy
    ... I cannot get the settings for group policy to ... Machine or user must be a domain member and authenticate with the domain ... User or machine is not in the container to which the GPO is linked. ... Kerberos authentication may not work if user is a member of many groups: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon script: Group membership not recognized?
    ... When you run GPResults against these users, does it show them as being a member of this group? ... Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at http://www.sdmsoftware.com/products.php ... The script works just ... P drives like it should. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Copying the Guests group
    ... You do realize that a member of theGuestsgroup, ... using a regular limited user account. ...
    (microsoft.public.win2000.security)
  • Re: Group Policy on a remote computer
    ... By default, members of Domain Admins are administrators on member computers, but not Enterprise Admins. ... The domain controller is Windows Server 2003 R2 SP2; the target computer is XP Professional SP2. ... The usual process is to create a Group Policy Object in the Domains Active Directory and link it to the OU with the target computer accounts or user accounts. ...
    (microsoft.public.windows.group_policy)
  • RE: MVS as a guest OS at D/R
    ... For some unknown and undetermined reason, z/OS is NOT looking for the ... But z/OS is looking for member IEASYSCM in SYS1.PARMLIB, ... Look at IEASYMxx for the VM info. ... You will need to define your GUEST ...
    (bit.listserv.ibm-main)