Re: Permissions

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/23/03 

Date: Sun, 23 Nov 2003 10:18:17 -0700

replies inlined 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Ann" <anonymous@discussions.microsoft.com> wrote in message
news:02c101c3b07d$cf16bbc0$a501280a@phx.gbl...
> I'm trying to set up a workgroup windows xp professional
> workstation security.
>
> I have two questions.
>
> 1. in some ms articles, they mentioned 'everyone' account.
> Why I cannot see it in my users and groups?
>
Everyone is a built-in that is not shown in the
lusermgr.mcs (and similar) lists of users and groups.
However, when one looks at the combined list of
what one can add to an access control list when
using a security editor dialog it will be listed there.
It does not make sense (apparently) to show it in the
lists used to manage users and groups, since it cannot
be deleted, it cannot have its membership altered, and
it cannot be added into a group as a member.
> 2. I set up a group called ftpusers, and a user called
> for example John. I add this user to the ftpusers group.
>
> Then I go to a directory and set the NTFS permission,add
> ftpusers to the list, but when I go to effective
> permission and select John, no permissions have been
> checked. I suppose if I added the group ftpusers, the
> member of the group should have same permissions. But it
> seems not.
>
Effective permissions does not walk the memberships of
groups and list out permissions of an account based on the
groups the account is within.  It shows the net effect of all
explicit and/or implicit (inherited) grants to a group or an
account for the object, leaving it up to you to understand
the importance of grants made to groups.  (This is a performance
optimization.  Especially when in an Active Directory forest,
answering the question "what all groups is account X within"
is actually quite non-trivial and requires making queries at each
domain in the forest, and following this, following the rules for
nesting of groups finding all groups in which a group that has
the account as a member, again potentially at each domain, etc.
until closure is reached with no new groups being found.  It is
only with such a list that it would then be possible to show the
effective permissions of an account in the manner you were
expecting.)
> Any ideas about it?
>
> Thanks for any suggestions
>
>
>

Relevant Pages

  • Re: Permissions
    ... >lusermgr.mcs lists of users and groups. ... >> member of the group should have same permissions. ... >groups and list out permissions of an account based on ...
    (microsoft.public.windowsxp.security_admin)
  • Re: VPN File and Folder Permissions
    ... MS-MVP Windows XP/ Windows Smart Display ... Every user account can belong to ... >>choosing "Permissions" on the share dialog. ... >>>groups or folder permission lists) seems to have full ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Administrators are treated as Users for file permissions
    ... I've clicked Deny for all permissions ... > because my admin account was a member of Users (XP by default made it ... So I removed the Member Of Users entry from my admin ...
    (microsoft.public.windowsxp.security_admin)
  • Re: connecting to a winxp box
    ... as long as he gives the user account the necessary ... Ok now at the bottom right corner of the window there is a button called ... "Permissions" click it ... There are two boxes in this window the top box lists current users, ...
    (Fedora)
  • Re: Unlock acct permissions
    ... account unlock permission for an OU by making them a member of a security ... How do I get DSACLS to run on a specific account? ... The permissions in the security do not seem to ... The correct permissions are on the security group, ...
    (microsoft.public.win2000.active_directory)