Re: Is every user a member of Users?

• Previous message: Roger Abell: "Re: Is every user a member of Users?"
• In reply to: Les Desser: "Re: Is every user a member of Users?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 4 Jan 2005 22:24:10 -0700

lusrmgr.msc run at a cmd prompt (as you refer to
c:\winnt should I assume this is Windows 2000?)
lets you see the group structure in all existing detail.

Originally Users only held accounts. Later MS invented
Interactive and Authenticated Users and nested these
within. This was as much as anything a response to the
fact that the OS had grown in ways such that if an account
was not a member of Users then things would fail in an
interactive login. It is not just the NTFS permissions in
the system folders, but also a matter of permissions on the
COM components and registry keys, where some grants are
to the Users group.

I think historically the intent was to have Guests, Users,
and Administrators with these three being allowed a tiered
increase in capability. However, thing were IMO not kept
fully clean, and for all practical purposes the distinction
between Guest and any Users member began lost and also
impossible for interactive login. In large part this was a
response to MS observing the common (and reasonable)
practice of removing the default grants to Everyone (which
used to allow Guest to function interactively).

By the way, although it looks like a group in the icon used,
System is best thought of not as a group but as an account.
I think it is treaded as a group because in a stand-alone install
the Local System account (which is used to fire up most of the
core components/services of the OS) is System, but once the
machine is joined to a domain then the domain\Machine$
account also is System.

Aside from accounts and normal groups, you will find some
"group-like" predefined principals used (Interactive, Network,
Authenticated Users, Creator Owner, etc.) whose membership
you cannot adjust. These are like place-holders which get
substitiuted with the "then current" account if the criteria of
the place being held are satisfied. If I have logged in as UserX
at the keyboard, then UserX actually appears in the security
access checks where Interactive is seen when viewing the
definitions, etc..

-- 
Roger
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:T30y9wGOMo2BFA+A@dessergroup.onetel.co.uk...
> In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes
>
> >The membership in the Users group is only exactly what is shown when
> >you view it. Now, in a default scenario you will see that Interactive
> >and Authenticated Users are nested within Users.
>
> Please do you have any pointers as to where I can see this on the system
> or at least read about it.
>
> > Due to these any account that logs in locally or any account that is
> >authenticated (respectively) will become a Users member during that
> >login/usage. These groups do not have to be nested within Users, but
> >when removed one does need to understand what they have been enabling
> >so that the parts of that which are needed can be provided.
>
> More reading - groan! :)
>
> I am just a starter on the Windows security front, but as I see it:-
>
> Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
> it should not be possible to assign anyone to this group.  What strange
> mind thought up a structure that allows me to remove membership of a
> user from a specific group, but the user still remains (in 99.99% of the
> time) a member via a hidden route.
>
> Also, why does Windows put every newly created user explicitly into the
> Users group? - and thereby totally confuse poor punters like me.
> -- 
> Les Desser
> (The Reply-to address IS valid)

• Previous message: Roger Abell: "Re: Is every user a member of Users?"
• In reply to: Les Desser: "Re: Is every user a member of Users?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]