Re: I need a permission GURU!

From: nuckingfutsguy (nuckingfutsguy@hotmail.com)
Date: 10/16/02 

From: "nuckingfutsguy" <nuckingfutsguy@hotmail.com>
Date: Tue, 15 Oct 2002 17:09:34 -0500

I have modified the members of the users group. I have left only the limited
accounts and have removed the NT AUTHORITY\Authenticated Users. Its still
locking administrators out. Is there another way to modify group members
besides the computer management snap in?

"David Jones" <kk7gw@yahoo.com> wrote in message
news:317c01c27493$0e050620$37ef2ecf@TKMSFTNGXA13...
> Users by default has NT AUTHORITY\Authenticated Users
> (or everyone with a user account on the box when not
> dealing with domains etc) as a member.
> So yes, the Administrator and Power Users would fall
> under that.
>
> Hence you're specifically putting a Deny ACE on the
> resource, so when an Administrator hits it, the access
> check sees the deny and locks it out (Deny ACE's override
> everything else).
>
> You can modify the Users group membership to fit your own
> needs.
>
> >-----Original Message-----
> >Ok, my question is:
> >Are ALL users on the PC, (everyone that has some type of
> user acount
> >created, including administrators and power users)
> considered part of the
> >"users" group?
> >
> >I use two computers, one has XPHE and one XPPro. When I
> set deny permissions
> >on a file or folder in either OS to lock out members of
> the "users" group,
> >it also locks the administrator out and anyone in the
> administrator group.
> >
> >However, when I add the specific user account and set a
> deny permission on
> >that one user, it works fine.
> >
> >Its as if all accounts fall under the "users" group. I
> have made sure that
> >the accounts are only members of one group, either a
> user or administrator.
> >
> >Am I missing something simple here? Its my understanding
> that only users
> >with limited accounts fall under the "users" group.
> >
> >
> >
> >.
> >

Relevant Pages

  • I need a permission GURU!
    ... the Administrator and Power Users would fall ... Hence you're specifically putting a Deny ACE on the ... >on a file or folder in either OS to lock out members of ... >Its as if all accounts fall under the "users" group. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: I need a permission GURU!
    ... > accounts, and that group is the only group you've denied ... Then use the Deny ACE ... >>I have modified the members of the users group. ... >>> resource, so when an Administrator hits it, the access ...
    (microsoft.public.windowsxp.security_admin)
  • Re: I need a permission GURU!
    ... If the only members of the group are limited user ... Why not just create a new group, and stick the accounts ... Then use the Deny ACE ... >> resource, so when an Administrator hits it, the access ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Local admin accounts gone haywire
    ... builtin/administrators and made the administrator and domain admins ... members of the group. ... domain policy would overwrite a policy further in the domain tree. ... Cannot find Power Users. ...
    (microsoft.public.win2000.group_policy)
  • Re: Security Group Keeps getting removed???
    ... group I am adding are NOT members of Domain admins, ... ACL on all security principals (users, groups, and machine accounts) ... Description and Update of the Active Directory AdminSDHolder Object ... AdminSDHolder Object Affects Delegation of Control for Past Administrator ...
    (microsoft.public.windows.server.active_directory)