Re: Is every user a member of Users?
From: Herb Martin (news_at_LearnQuick.com)
Date: 01/06/05
- Previous message: Dan Tindell: "Local admin group?"
- In reply to: Roger Abell: "Re: Is every user a member of Users?"
- Next in thread: Roger Abell [MVP]: "Re: Is every user a member of Users?"
- Reply: Roger Abell [MVP]: "Re: Is every user a member of Users?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Jan 2005 10:25:31 -0600
> Perhaps we should note for the OP that "principal" is the
> generic term used to indicate anything that can be a trustee,
> that is, the object indicated as receiving or being denied a
> security access grant (and similar with auditing).
Drift is bad <grin>
In fact, I strongly prefer the term "security principal"
as a generic term for Groups, Users, and Computer
accounts -- all of these can be granted or denid
permission and rights related to object access and to
system functions.
<irony>
Then there is the question of "Creator/Owner" which
Microsoft calls a special group (at times) and which
I have always considered a Special User.
But on logically grounds it does qualify as Special
Group of at most one user. Ok, there is the case
where it manages to represent the Administrators
group collectively and thereby destroys all our
preceptions about Group containment rules.
(BTW, I think the developers cheated by writing
some exceptions in the code for this stuff.)
</irony>
-- Herb Martin "Roger Abell" <mvpNOSpam@asu.edu> wrote in message news:eAVrV3$8EHA.2900@TK2MSFTNGP09.phx.gbl... > Thanks Herb for the terminology breakdown. > > It is with regret that I need mention for the OP that one will > find that the terms used by MS have "drifted" some over time. > For example, if one reads at > http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_atxz.asp > one will find a slight variation on these, and that all of the > "pre-defined"s get lumped together as the category > Built-in Security Principals, and reading on one finds at > http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_wdkv.asp > some meanings for the common ones of these, where the OP > should notice that some are "group-like" and some are > "user-like". The first are dynamically managed collections > of accounts, while the second are placeholders used in ACLs > that get replace dynamically at runtime with the account in use > that meets their definition. > > Perhaps we should note for the OP that "principal" is the > generic term used to indicate anything that can be a trustee, > that is, the object indicated as receiving or being denied a > security access grant (and similar with auditing). > > -- > Roger Abell > Microsoft MVP (Windows Security) > MCSE (W2k3,W2k,Nt4) MCDBA > "Herb Martin" <news@LearnQuick.com> wrote in message > news:%23j9oj%2398EHA.2180@TK2MSFTNGP12.phx.gbl... > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > > news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl... > > > As Herb indicated Users is a group. > > > Nothing magic about it. The membership of Users is > > > clearly viewable, and Users contains nothing other than > > > what is there, clearly viewable. > > > > Correct (and below too). > > > > Strictly FYI: The names for the various group types are: > > > > 1) Built-in (Administrators, Users, Domain Admins...) > > changeable but created and used by the system automatically > > > > 2) Groups (aka custom or user-defined Groups) > > > > 3) Special (dynamically assigned membership based on > > current activity at the time the object resource is > > OPENED -- e.g., Everyone, Network, Terminal Service > > Users, Dialup Users (sp?) etc. > > > > Groups MAY be divided into 2 or more categories: > > > > a) Local (workstations or domain based) > > b) Global (domain based only) > > c) Universal (Win2000 Native mode or 2003 Server mode) > > > > > > On workstations, all Built-in and user-defined Groups are > > Local Groups only -- while on the domain groups can be either > > Local, Global, or perhaps Universal groups. > > > > No one knows whether Specical Groups are Global or > > Local -- the really are neither, but have some of the > > characteristics of each. > > > > Technially, there is another Group type, a variation on > > Local groups when the behavior changes after upgrading > > the domain to Native+ mode: Domain Locals, which are > > techically different than "plain Local groups on a domain" > > in NT or Mixed etc mode. > > > > > > -- > > Herb Martin > > > > > > > > > > Today, the use made of Users would fit IMO fairly > > > closely to "the group that allows its members to log > > > into the machine at the keyboard and use it" > > > In other words, the Users group is pretty much the > > > grouping of accounts that can use the machine. > > > > > > There are groups, just plain old normal groups, > > > like Users. These come in two forms. The predefined > > > groups and what I term custom groups which have been > > > defined by the user/owner of the machine. > > > > > > There are a couple kinds of things that are used as if > > > they were groups and/or that function like groups, but > > > over the membership in which one has no control. > > > These are things like Everyone, Authenticated Users, > > > Interactive, Network, Anonymous Users, Creator Owner, > > > Creator Group, Self, . .. These all have set, defined > > > meanings and uses, which I believe you could discover > > > by reading into the Resource Kits. > > > www.reskits.com > > > > > > -- > > > Roger Abell > > > Microsoft MVP (Windows Security) > > > MCSE (W2k3,W2k,Nt4) MCDBA > > > "Les Desser" <NewsDump1@dessergroup.com> wrote in message > > > news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk... > > > > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell > > > > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes > > > > > > > > >I can see the point of view, but in larger environments seeing that a > > > > >groupX is composed of groupA, groupB, and groupC, whereas groupY is > > > > >composed of groupA and groupD only is highly useful, where groupA, B, > > > > >C, D, etc. are fundemental categories of accounts, such as by roles > > > > >that they hold in the corp (or family). The alternative, just seeing > a > > > > >long list of users in groupX and groupY is error prone. > > > > > > > > I agree - I withdraw my original statement. > > > > > > > > I just wish that that the definition of a group would not be muddied > by > > > > having special collections such as Users called the same as a group > > > > created by human intelligence - see my reply to Herb a few minutes > ago. > > > > -- > > > > Les Desser > > > > (The Reply-to address IS valid) > > > > > > > > > > > >
- Previous message: Dan Tindell: "Local admin group?"
- In reply to: Roger Abell: "Re: Is every user a member of Users?"
- Next in thread: Roger Abell [MVP]: "Re: Is every user a member of Users?"
- Reply: Roger Abell [MVP]: "Re: Is every user a member of Users?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
