Re: Administrators are treated as Users for file permissions
From: Roger Abell (MVPNoSpam@asu.edu)
Date: 02/24/03
- Next message: Mike Brannigan [MSFT]: "Re: Login to domain andd workgroup"
- Previous message: Michael: "Msn mail"
- In reply to: Qui-Gon Jinn: "Re: Administrators are treated as Users for file permissions"
- Next in thread: Qui-Gon Jinn: "Re: Administrators are treated as Users for file permissions"
- Reply: Qui-Gon Jinn: "Re: Administrators are treated as Users for file permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Roger Abell <MVPNoSpam@asu.edu> Date: Mon, 24 Feb 2003 00:48:02 -0800
none@none.none (Qui-Gon Jinn) wrote in news:3e5965f2.29403259
@news1.sympatico.ca:
> A long time ago, on a computer far, far away... Roger Abell
> <MVPNoSpam@asu.edu> wrote:
>
> Thanks for your reply.
>
>>After changing the groups in which an account is a member
>>it is necessary to log off and in for the changes to be
>>reflected in that changed account.
>
> I did that already but it still can't access a folder that's Denied to
> all Users.
>
Then if it does have a grant it must directly or indirectly
be in Users (as with Authenticated Users and INTERACTIVE) for
the grant to overridden.
>>You might be better of not using Deny to Users but instead
>>just remove all grants made to the Users group. This will
>>have the same effect but be much more simple.
>
> That means unchecking all the "Allow" permissions? Three of the
> checkboxes are disabled for the Users group. (Read & Execute, List
> folder contents, Read)
>
Yes, removing all granting checkmarks removes all access.
Sometimes one must stop inheritance to do this, and when
offered to copy the permissions it is most common to say
yes and then remove only what one needs no longer granted.
>>For an account that is used to log in locally to not be a
>>member of the Users group one must remove both INTERACTIVE
>>and Authenticated Users from Users. Doing this has some
>>implications - one sometimes need to explicitly add some
>>accounts into Users to make up for their lost membership
>>from removing these two from Users. It is more simple in
>>your situation to just not grant anything to Users.
>
> I think I might just add a new group that I can control separately. My
> Power Users group can be controlled separately, so I might use
> something like that.
>
Yes, use of custom groups is a standard practice and useful.
> Thanks for your help.
>
>
No problem Qui-Gon Jinn
-- Roger Abell MS MVP (Windows Security)
- Next message: Mike Brannigan [MSFT]: "Re: Login to domain andd workgroup"
- Previous message: Michael: "Msn mail"
- In reply to: Qui-Gon Jinn: "Re: Administrators are treated as Users for file permissions"
- Next in thread: Qui-Gon Jinn: "Re: Administrators are treated as Users for file permissions"
- Reply: Qui-Gon Jinn: "Re: Administrators are treated as Users for file permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
