Re: Permissions

From: Ann (anonymous_at_discussions.microsoft.com)
Date: 11/24/03 

Date: Mon, 24 Nov 2003 08:57:42 -0800

Thank you very much for detailed explanation
>-----Original Message-----
>replies inlined
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Ann" <anonymous@discussions.microsoft.com> wrote in
message
>news:02c101c3b07d$cf16bbc0$a501280a@phx.gbl...
>> I'm trying to set up a workgroup windows xp
professional
>> workstation security.
>>
>> I have two questions.
>>
>> 1. in some ms articles, they mentioned 'everyone'
account.
>> Why I cannot see it in my users and groups?
>>
>
>Everyone is a built-in that is not shown in the
>lusermgr.mcs (and similar) lists of users and groups.
>However, when one looks at the combined list of
>what one can add to an access control list when
>using a security editor dialog it will be listed there.
>It does not make sense (apparently) to show it in the
>lists used to manage users and groups, since it cannot
>be deleted, it cannot have its membership altered, and
>it cannot be added into a group as a member.
>
>> 2. I set up a group called ftpusers, and a user called
>> for example John. I add this user to the ftpusers
group.
>>
>> Then I go to a directory and set the NTFS
permission,add
>> ftpusers to the list, but when I go to effective
>> permission and select John, no permissions have been
>> checked. I suppose if I added the group ftpusers, the
>> member of the group should have same permissions. But
it
>> seems not.
>>
>
>Effective permissions does not walk the memberships of
>groups and list out permissions of an account based on
the
>groups the account is within. It shows the net effect
of all
>explicit and/or implicit (inherited) grants to a group
or an
>account for the object, leaving it up to you to
understand
>the importance of grants made to groups. (This is a
performance
>optimization. Especially when in an Active Directory
forest,
>answering the question "what all groups is account X
within"
>is actually quite non-trivial and requires making
queries at each
>domain in the forest, and following this, following the
rules for
>nesting of groups finding all groups in which a group
that has
>the account as a member, again potentially at each
domain, etc.
>until closure is reached with no new groups being
found. It is
>only with such a list that it would then be possible to
show the
>effective permissions of an account in the manner you
were
>expecting.)
>
>> Any ideas about it?
>>
>> Thanks for any suggestions
>>
>>
>>
>
>
>.
>

Relevant Pages

  • Re: Permissions
    ... in some ms articles, they mentioned 'everyone' account. ... lusermgr.mcs lists of users and groups. ... > member of the group should have same permissions. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: VPN File and Folder Permissions
    ... MS-MVP Windows XP/ Windows Smart Display ... Every user account can belong to ... >>choosing "Permissions" on the share dialog. ... >>>groups or folder permission lists) seems to have full ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Administrators are treated as Users for file permissions
    ... I've clicked Deny for all permissions ... > because my admin account was a member of Users (XP by default made it ... So I removed the Member Of Users entry from my admin ...
    (microsoft.public.windowsxp.security_admin)
  • Re: connecting to a winxp box
    ... as long as he gives the user account the necessary ... Ok now at the bottom right corner of the window there is a button called ... "Permissions" click it ... There are two boxes in this window the top box lists current users, ...
    (Fedora)
  • Re: Unlock acct permissions
    ... account unlock permission for an OU by making them a member of a security ... How do I get DSACLS to run on a specific account? ... The permissions in the security do not seem to ... The correct permissions are on the security group, ...
    (microsoft.public.win2000.active_directory)