Re: Administrators are treated as Users for file permissions

From: Roger Abell (MVPNoSpam@asu.edu)
Date: 02/23/03 

From: Roger Abell <MVPNoSpam@asu.edu>
Date: Sun, 23 Feb 2003 01:00:25 -0800

none@none.none (Qui-Gon Jinn) wrote in news:3e581669.7636941
@news1.sympatico.ca:

> I have WinXP Pro, using NTFS and simple file sharing turned off. I
> want to set permissions that prevent users that are part of the Users
> group from accessing a folder. I've clicked Deny for all permissions
> for the Users group . The problem is, after doing that, even the
> administrators can't access the folder. At first, I thought it was
> because my admin account was a member of Users (XP by default made it
> like that). So I removed the Member Of Users entry from my admin
> account. But my admin still doesn't have access.
>
> I looked at the Users group properties; it's members lists
> "Authenticated Users" and "Interactive". Am I right in assuming that
> "Authenticated Users" includes admins? So do I need to create a new
> group called "Restricted Users" and assign all the users to that
> group?
>
> BTW, I checked the Effective Permissions for my admin account on that
> folder; it says I have full control but I still can't access it.
>
> I've checked on Google groups but didn't find anything related; the
> Knowledge Base was equally unhelpful. I'd really appreciate it if
> someone can help me. Thanks.
>
> Please post your replies to the group - I want all useful replies to
> be available to the everyone.
>
>

After changing the groups in which an account is a member
it is necessary to log off and in for the changes to be
reflected in that changed account.

You might be better of not using Deny to Users but instead
just remove all grants made to the Users group. This will
have the same effect but be much more simple.

For an account that is used to log in locally to not be a
member of the Users group one must remove both INTERACTIVE
and Authenticated Users from Users. Doing this has some
implications - one sometimes need to explicitly add some
accounts into Users to make up for their lost membership
from removing these two from Users. It is more simple in
your situation to just not grant anything to Users. 

-- 
Roger Abell
MS MVP (Windows Security)

Relevant Pages

  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied ... I then added full permissions to my user account on both of these keys, ... that's for every app pool you create for every new web app on the ... local admin rights to the server hosting incoming email. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: NTFS owner problem
    ... power options, ... permissions that control access. ... to which any admin account should have full access. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: enable "runas" under account, without log into workstations ?
    ... > regular user with some permissions mods to program files folder, ... > help with tracking down permissions problems if you logon as regular user ... item 1 states that you create the account as an admin. ...
    (microsoft.public.windows.server.networking)