Re: Setting Audit Permissions Differently for Each User

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OwHUSO%23KHHA.3560@xxxxxxxxxxxxxxxxxxxxxxx
Hi Will,

Jesper is quite correct in his response.

You may be able to accomplish this objective more simply than
defining a group with all accounts except System however, if
your users are members of Users (or Domain Users and hence
of Users).

I notice that System does not have Users in its token but does
have Authenticated Users, Administrators, and Everyone.

How do you enumerate the user groups that SYSTEM belongs to?


Now, for this to work, you would need to have Interactive and
Authenticated Users removed from Users (I routinely remove
Interactive and Authenticated Users from Users anyway).

So, if you just either made sure that each individual admin account
was member of Users (or Domain Users), or if you defined a group
that mirrored Administrators, and used these in place of Everyone
then you would not be auditing for System via those and could
avoid the duplications Jesper indicated.

I've never been crazy about Authenticated Users as a concept as it embraces
too many totally different things and just makes it harder to figure out
what is or is not controlled in an ACL.

The only problem in your approach is you would need to think through what
other kinds of access were previously covered by Authenticated Users and
provide for those another way. For example, Domain Computers, Domain
Controllers, Computers from Trusted domains, etc.

It would sure be nice if Microsoft would publish a way to build a
comprehensive list of all entities that might interact with a computer so we
could control at that level when we want to.

--
Will


.

Relevant Pages

  • Re: Setting Audit Permissions Differently for Each User
    ... Jesper is quite correct in his response. ... defining a group with all accounts except System however, ... Authenticated Users removed from Users (I routinely remove ... just to make the rules simple to specify. ...
    (microsoft.public.windows.server.security)
  • Re: Repost: Local logon and Network Access settings
    ... think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... is a member of User on a member machine, and, Users are granted ... user accounts that should be allowed to log into the machines in SomeOU. ...
    (microsoft.public.windows.group_policy)
  • Re: windows new users?
    ... the 2 accounts that I mentioned abv is some username ... "userS" in the account name and they are security principal identifier ... those without the Authenticated Users group will hit into a brick wall! ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: windows new users?
    ... doesn't use any accounts at all. ... To login and fulfill the remote assistance, ... those without the Authenticated Users group will hit into a brick wall! ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: ADM not pushed to OU
    ... The configured CLASS is machine, so you to use the computers instead of domain ... Or to make live easy choose authenticated users, ... I have changed the security filter to: Authenticated Users. ...
    (microsoft.public.windows.group_policy)