Re: XP Pro. Group Member permission question.

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 01/03/04 

Date: Sat, 3 Jan 2004 10:27:31 -0700

Let us assume that there are no Deny ACEs in the
NTFS security, or if so, they do not affect the account.

By chance is the account where access is not being
effective the same as the one you are using to define
the custom group and grant the access ?

For new group memberships to be seen and used,
the account must be cycled through logoff/login.

Otherwise, all that should be involved for local (not
network share) access is:
account in custom group
custom group grants NTFS access
account, and no group of which it is member, is
   not denied in the NTFS grants 

-- 
Roger
"Charlie Chong" <anonymous@discussions.microsoft.com> wrote in message
news:072101c3d21a$c8699090$a601280a@phx.gbl...
> Well I believe I have granted NTFS persmissions (FULL) to
> the custom group.  I performed this using the security
> tab dialog, when one looks at the properties of an object
> in explorer.
>
> Am I missing something here?
>
> >-----Original Message-----
> >You seem to understand the idea behind custom groups,
> >but you are not catching the distinction between
> ownership
> >and permissions in NTFS.  The Owner does not
> automatically
> >get any permissions except for the permission to change
> the
> >permission grants.  The custom group must still be
> granted
> >NTFS permissions, such as read/execute in your notepad
> >group example.  Also, a member in the custom group must
> >not be denied (as compared to a grant permission)
> read/execute
> >(or any grant that includes read/execute, such as full
> control)
> >whether the denial is directly for that account or for
> any group
> >in which the account is a member.
> >
> >
> >"Charlie Chong" <anonymous@discussions.microsoft.com>
> wrote in message
> >news:063701c3d1c1$17101890$a101280a@phx.gbl...
> >> Maybe I did not explain the scenareo clear.
> >>
> >> Here is what I tried to do:
> >>
> >> I wanted to create a group for every application on the
> >> system.  For example:
> >>
> >> take notepad.exe for example:
> >>
> >> So I create a group called notepad, and add all of the
> >> users to this group, who are allowed to access the
> >> program called notepad.exe.
> >>
> >> Then, I change the ownership of this program to the
> group
> >> called notepad. (assuming that all users in this group
> >> will be able to execute/read etc....)
> >>
> >> However, I find that when I do this, only one user in
> the
> >> group can execute the program, and it is the user I
> >> logged in as when I created the group.
> >>
> >> It is very strange, as the whole priniple behind
> groups,
> >> is to group users and associate permissions to the
> group.
> >>
> >> Anyway, I must be missing something.
> >>
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >somewhere there are obviously more restrictive
> >> permissions.  did you assign permissions to a shared
> >> folder perhaps?  even if you give full access on a
> share,
> >> the actual directory will still restrict access.
> >> >
> >> >     ----- Charlie Chong wrote: -----
> >> >
> >> >     I created a group.  Installed 2 members in the
> >> group.
> >> >
> >> >     Assigned full permissions on directory tree for
> an
> >> >     application, and assigned the owner of the
> >> directory tree
> >> >     to this new group.
> >> >
> >> >     But only one of the groups members can execute
> and
> >> read
> >> >     the application that resides in this directory
> tree.
> >> >
> >> >
> >> >     Why?
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Relevant Pages

  • Re: Why does Everyone have Full Control of everthing?
    ... Analysis snap-in to apply the Setup Security template to my machine, ... Perhaps I should have only applied the file permissions ... using the personal account created at setup. ... >list of default NTFS permissions for Windows 2000. ...
    (microsoft.public.windowsxp.general)
  • Re: impersonation and ado access connection
    ... To rule out NTFS issues, I went so far as to give EVERYONE full control ... (with replace permissions on all child objects) ... I am implementing impersonation in my machine.config for IIS application Isolation of the ASPNET worker process. ... I am giving the new account the same permissions to files and folders that the aspnet account had. ...
    (microsoft.public.windows.server.security)
  • Re: impersonation and ado access connection
    ... To rule out NTFS issues, I went so far as to give EVERYONE full control ... (with replace permissions on all child objects) ... I am implementing impersonation in my machine.config for IIS application Isolation of the ASPNET worker process. ... I am giving the new account the same permissions to files and folders that the aspnet account had. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: XP Security
    ... There are permissions on the share controlling what ... Also, when NTFS grants more than the share grant, ... Home can only be in Simple sharing mode. ... account for purposes of checking the NTFS grants. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: XP Pro. Group Member permission question.
    ... Well I believe I have granted NTFS persmissions to ... >get any permissions except for the permission to change ... The custom group must still be ...
    (microsoft.public.windowsxp.security_admin)