Re: Setting Audit Permissions Differently for Each User

"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:aJCdnelJEf8whgrYnZ2dnUVZ_t6qnZ2d@xxxxxxxxxxxxxxx
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OwHUSO%23KHHA.3560@xxxxxxxxxxxxxxxxxxxxxxx
Hi Will,

Jesper is quite correct in his response.

You may be able to accomplish this objective more simply than
defining a group with all accounts except System however, if
your users are members of Users (or Domain Users and hence
of Users).

I notice that System does not have Users in its token but does
have Authenticated Users, Administrators, and Everyone.

How do you enumerate the user groups that SYSTEM belongs to?


Same as with any other account, via one of a few ways; ex.
once logged in as the account, use whoami /all is most simple.


Now, for this to work, you would need to have Interactive and
Authenticated Users removed from Users (I routinely remove
Interactive and Authenticated Users from Users anyway).

So, if you just either made sure that each individual admin account
was member of Users (or Domain Users), or if you defined a group
that mirrored Administrators, and used these in place of Everyone
then you would not be auditing for System via those and could
avoid the duplications Jesper indicated.
I've never been crazy about Authenticated Users as a concept as it
embraces
too many totally different things and just makes it harder to figure out
what is or is not controlled in an ACL.

Authenticated Users was one of the worse inventions ever
to come along and change the NT permission landscape.

Actually it (to me) makes it easier to figure what is or is not
controlled by an ACL, since its use basically is saying (I do
not know specifics so I give and say any can). Its use as a
member in Users everywhere is a cop-out, pure and simple,
from the days with MS believed it sufficient and appropriate
to set things based solely upon requirement that they would
work, like the old Everyone Full Control default on drive
partitions. In order to effect control over what is allowed
to whom one must go about erasing this (ex. client systems
in deployment allow only the set of users tasked to use that
group of machines).
(OK - I will moderate that critique slightly. The addition of
Authenticated Users was itself not bad, as it originated to allow
making grants that did not include anonymous accesses. It is
the only slightly later abuse of it by adding it to Users and by
making use of it directly in ACLs all over the place that is
what deserves prior comment.)

The only problem in your approach is you would need to think through what
other kinds of access were previously covered by Authenticated Users and
provide for those another way. For example, Domain Computers, Domain
Controllers, Computers from Trusted domains, etc.

That is so for DCs.
For service point member servers or client systems I have
to remove those two in order to exert control over what
account can access the machine. If I break an access that
is fine, as that is the intent.


It would sure be nice if Microsoft would publish a way to build a
comprehensive list of all entities that might interact with a computer so
we
could control at that level when we want to.


The entity list is pretty simple.
If it is a DC every machine and user access it.
If it is not a DC, and there are none of the layered products on
it (i.e. Exchange, IIS, SMS, etc.), then no machine or domain user
must access it (none is required to in order to remain happy) so
back things down to no accesses and add the needed from there.



.

Relevant Pages

  • Re: Domain Users v. Authenticated Users
    ... Domain Users are all users in an Active Directory domain. ... Authenticated Users is a builtin local group representing anything that has ... System account could install software at startup without a logged on user. ...
    (microsoft.public.win2000.general)
  • Re: Problems on DNS
    ... If you changed the default permissions to only ADministrators, ... Authenticated Users Modify and System Full Control. ... account, so you can be safe there. ...
    (microsoft.public.windows.server.dns)
  • Re: Rule Settings - Users tab
    ... so I set my allow rule to apply to "domain users". ... took out the "all users" and tried to access google. ... try using the "Authenticated Users" Group that is in Active ...
    (microsoft.public.isa)
  • Re: Intranet/Extranet, Folder security and Authenticated users group
    ... > account became enabled on that computer, guest access would not be allowed for that ... By default this directory has full control ... >> the Everyone group having full control to the Authenticated Users ...
    (microsoft.public.win2000.security)
  • Re: Cant disable Read Only Attribute
    ... Leave the share permissions as they are, but for NTFS permissions, I ... wouldn't use Everyone - I'd use domain users. ... And not full control for them, ... The only account that can access ...
    (microsoft.public.windows.server.general)