Re: Office 2003 Setup

From: Leythos (void_at_nowhere.lan)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 13:45:45 GMT

In article <C24C7564-A3E0-41C8-976A-8F4252B7A923@microsoft.com>,
Popeye@discussions.microsoft.com says...
> Hello (again!)
>
> I just tried what you suggested and it all went well until I looked at the
> Security Properties of Outlook.exe. Those allowed now are:
>
> Administrators
> MS_OUTLOOK_USERS
> Power Users
> System
> Users
>
> I assume that the final group allows anyone (except the Guest Account) so I
> tried to remove it. It warned me that it was inheriting permissions from
> it's parent. It said to turn off the option for inheriting permissions and
> then try again.
>
> I hilighted <Users> and looked at Advanced features, in the hope that this
> would show me what the parent was but it didn't! I don't know how to find
> this out or how to turn the option off. More importantly, I need to know how
> to get things back to as they are now, should I make a mistake!
>
> Needless to say, the denial of access to Outlook didn't work. I added two
> new user accounts, only one of which I included in the MS_OUTLOOK_USERS
> group. I logged on as the one denied access and I was allowed access to
> Outlook.
>
> Can you give me some more guidance please?

In your next post you decided to use the DENY route for individual
users, which is a viable method, but it's not a good method. Permissions
at the file level should be assigned to GROUPS and not individuals - it
makes managing them easier. While Deny does override the allow, it's not
how most of us would have done it.

You needed to remove "Power Users" and "Users" from the security
settings - and yes, you have to disable inheritance and then COPY the
permissions, then go back and remove the ones you don't want. You should
have ended up with Administrators, MS_OUTLOOK_USERS, and SYSTEM as the
only two groups in the security tab.

You could have also done a DENY group - meaning that you could have
added the group DENY_MS_OUTLOOK_USERS to the security settings and
selected DENY and then added your users that you didn't want to have
access to it into the group. 

-- 
-- 
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • Re: "Deny" permissions keep getting lost?
    ... Enable auditing on those files, and/or the containing folder, so ... As you state that you placed an explicit deny on each file, ... Security) ... > used as a file server on a small network. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to get full access to all contents?
    ... Security) ... > How to become sure that there is no Deny for any group. ... The file is EFS ... > "Roger Abell" wrote in message ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Gpedit.msc
    ... log off and back in with an admin account. ... again access the Security dialog ... of the same GroupPolicy folder and remove the Deny ... > "Ace" wrote in message ...
    (microsoft.public.windowsxp.security_admin)
  • Re: restrict read access
    ... Check to see if the objects are inheriting the parent ou's security. ... What ou did you deny? ... >>> account) and stores in an interna database. ... >>> we would like to restrict that to an special OU. ...
    (microsoft.public.win2000.active_directory)
  • Re: Deny specific user
    ... of our server's 'c' drive this would basically deny access to this ... Further, even if everything on C: did inherit from the root, and so ... An explicit deny overrules any grant, which is effective for the object ... if anything inheriting permissions from where you place the deny ...
    (microsoft.public.win2000.security)