Re: Is every user a member of Users?

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/06/05

• Next message: andypoole: "Re: Event ID 3085"
• Previous message: Roger Abell: "Re: Securing with Group Policy"
• In reply to: Roger Abell: "Re: Is every user a member of Users?"
• Next in thread: Roger Abell: "Re: Is every user a member of Users?"
• Reply: Roger Abell: "Re: Is every user a member of Users?"
• Reply: Les Desser: "Re: Is every user a member of Users?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 6 Jan 2005 05:00:38 -0600

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
> As Herb indicated Users is a group.
> Nothing magic about it. The membership of Users is
> clearly viewable, and Users contains nothing other than
> what is there, clearly viewable.

Correct (and below too).

Strictly FYI: The names for the various group types are:

    1) Built-in (Administrators, Users, Domain Admins...)
        changeable but created and used by the system automatically

    2) Groups (aka custom or user-defined Groups)

    3) Special (dynamically assigned membership based on
            current activity at the time the object resource is
            OPENED -- e.g., Everyone, Network, Terminal Service
            Users, Dialup Users (sp?) etc.

Groups MAY be divided into 2 or more categories:

    a) Local (workstations or domain based)
    b) Global (domain based only)
    c) Universal (Win2000 Native mode or 2003 Server mode)

On workstations, all Built-in and user-defined Groups are
Local Groups only -- while on the domain groups can be either
Local, Global, or perhaps Universal groups.

No one knows whether Specical Groups are Global or
Local -- the really are neither, but have some of the
characteristics of each.

Technially, there is another Group type, a variation on
Local groups when the behavior changes after upgrading
the domain to Native+ mode: Domain Locals, which are
techically different than "plain Local groups on a domain"
in NT or Mixed etc mode.

-- 
Herb Martin
>
> Today, the use made of Users would fit IMO fairly
> closely to "the group that allows its members to log
> into the machine at the keyboard and use it"
> In other words, the Users group is pretty much the
> grouping of accounts that can use the machine.
>
> There are groups, just plain old normal groups,
> like Users.  These come in two forms.  The predefined
> groups and what I term custom groups which have been
> defined by the user/owner of the machine.
>
> There are a couple kinds of things that are used as if
> they were groups and/or that function like groups, but
> over the membership in which one has no control.
> These are things like Everyone, Authenticated Users,
> Interactive, Network, Anonymous Users, Creator Owner,
> Creator Group, Self, . ..   These all have set, defined
> meanings and uses, which I believe you could discover
> by reading into the Resource Kits.
> www.reskits.com
>
> -- 
> Roger Abell
> Microsoft MVP (Windows  Security)
> MCSE (W2k3,W2k,Nt4)  MCDBA
> "Les Desser" <NewsDump1@dessergroup.com> wrote in message
> news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
> > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
> > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
> >
> > >I can see the point of view, but in larger environments seeing that a
> > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
> > >composed of groupA and groupD only is highly useful, where groupA, B,
> > >C, D, etc. are fundemental categories of accounts, such as by roles
> > >that they hold in the corp (or family). The alternative, just seeing a
> > >long list of users in groupX and groupY is error prone.
> >
> > I agree - I withdraw my original statement.
> >
> > I just wish that that the definition of a group would not be muddied by
> > having special collections such as Users called the same as a group
> > created by human intelligence - see my reply to Herb a few minutes ago.
> > -- 
> > Les Desser
> > (The Reply-to address IS valid)
>
>

---

• Next message: andypoole: "Re: Event ID 3085"
• Previous message: Roger Abell: "Re: Securing with Group Policy"
• In reply to: Roger Abell: "Re: Is every user a member of Users?"
• Next in thread: Roger Abell: "Re: Is every user a member of Users?"
• Reply: Roger Abell: "Re: Is every user a member of Users?"
• Reply: Les Desser: "Re: Is every user a member of Users?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Local Group members ... defining a Restricted group, this is normal. ... > "Roger Abell" kirjoitti viestissä ... >> of local groups, but cannot "add" to the membership of them. ... (microsoft.public.windows.group_policy) Re: Restricted Groups > Local Administrators ... > Glad that you remembered the trick and are passing it along. ... local groups on the domain and avoid even having to create ... Herb Martin ... >> This will work because as built-in groups their ... (microsoft.public.win2000.active_directory) Re: Is every user a member of Users? ... As Herb indicated Users is a group. ... over the membership in which one has no control. ... >>composed of groupA and groupD only is highly useful, where groupA, B, ... >>long list of users in groupX and groupY is error prone. ... (microsoft.public.win2000.security) User.IsInRole() fails if user in too many groups? ... My IsInRole() checks return false for ALL membership checks if a given ... watched results change after I incrementally added a domain user to ... user is in XX local groups. ... (microsoft.public.dotnet.framework.aspnet.security) Re: User.IsInRole() fails if user in too many groups? ... > My IsInRole() checks return false for ALL membership checks if a given ... > watched results change after I incrementally added a domain user to ... > user is in XX local groups. ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)