Re: WinXP Pro "Users" Group Restrictions Affect Administrator Accounts

From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 10/04/03 

Date: Fri, 3 Oct 2003 23:13:32 -0400

http://support.microsoft.com/?id=293655 

-- 
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Associate Expert
ExpertZone - http://www.microsoft.com/windowsxp/expertzone
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
<SRW> wrote in message news:1lgrnv0ubsuq16siaflhrhvc91bgi5ejqn@4ax.com...
> Hi folks:
>
> I'm running WinXP Pro in a workgroup environment (no domain server)
> with simple file sharing turned off (i.e. using the "old" NT4 and
> Win2K file security).  All my drives are NTFS.  I usually just run my
> stuff under an account with administrator privliges, but I run
> programs that access the Internet (e.g.  IE, Outlook, etc.) under a
> userid that's only part of the Users group.  Someone created a version
> of "runas" that lets you put in the password on the command line
> rather than being prompted for it, so it's not too hard to change file
> associations and desktop icons to point to a ".cmd" file that runs IE,
> Outlook, news reader, and their associated file types with a seperate
> userid from the one you are logged on with.
>
> I wanted to protect a couple of directories where I keep things like
> passwords and financial information from the userid running under the
> Users group just in case some kind of snoopware program got invoked
> via IE or Outlook and went searching through my hard drives.  By
> default I had the Users group setup with generic read authority for
> all the drives, and write authority for just it's own documents and
> settings folder (this was by individual userid as setup by WinXP
> versus the Users group as a whole), it's temp variable folder, the
> place where the outlook data file was, and the folder I use to
> download files from the Internet.
>
> I went to the folder that had the financial stuff and put a "Deny"
> entry on it for the Users group by checking the deny full control box,
> which put checkmarks all the way down the column.  After doing that I
> clicked the advanced button and looked at the permissions and it
> showed all the regular permissions inheritted from the top of the
> drive tree and the "Deny" permission for group Users as not
> inheritted, which all looked fine.  However, after doing that I found
> out that I could no longer access the directory from my account with
> administrators privliges either.  I verified that my administrators
> account was not part of the Users group (the account I use is not the
> built in administrator's account, but another one I created).  I can't
> figure out why my administrator level account gets locked out when I
> disallow access by the Users group, unless the Users group is really a
> built-in security principle group like Authenticated Users, SYSTEM,
> Everyone, and that any accounts you create are automatically part of
> the Users group even though it doesn't show up that way when you look
> at which groups you belong to.  Can anyone confirm or deny that this
> is the case?
>
> I ended up solving my problem by just removing the Users group from
> the folder I wanted protected, but this required that I change to
> folder to not inherit any security properties from higher in the drive
> tree, and set each of the permissions on the folder manually.  I'd
> rather have it set where it inherits the security from above and the
> only "extra" permission I have is one to explicitly deny the group
> Users.
>
> Thanks for your assistance.
>
> Scott