Sign in with
Sign up | Sign in
Your question

Is every user a member of Users?

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
January 4, 2005 2:42:18 AM

Archived from groups: microsoft.public.win2000.security (More info?)

After trying to secure a stand alone PC I have come to the conclusion
that a user that is not a member of group Users, is nevertheless
implicitly part of that group.

Am I correct?
--
Les Desser
(The Reply-to address IS valid)

More about : user member users

Anonymous
a b 8 Security
January 4, 2005 2:42:19 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The membership in the Users group is only exactly what
is shown when you view it.
Now, in a default scenario you will see that Interactive
and Authenticated Users are nested within Users.
Due to these any account that logs in locally or any account
that is authenticated (respectively) will become a Users
member during that login/usage.
These groups do not have to be nested within Users, but
when removed one does need to understand what they have
been enabling so that the parts of that which are needed can
be provided.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:cDBxg5Aahd2BFANf@dessergroup.onetel.co.uk...
> After trying to secure a stand alone PC I have come to the conclusion
> that a user that is not a member of group Users, is nevertheless
> implicitly part of that group.
>
> Am I correct?
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 4, 2005 4:14:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes. Anyone who logs on locally for instance is a member of the
authenticated users group which is a member of the users group. Use the "
net localgroup users " to see that and use the gpresult support tool to see
all the groups that a user is a member of. Always be extremely carefully
when configuring deny user rights when adding the users or everyone groups.
Exactly what are you trying to secure? --- Steve



"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:cDBxg5Aahd2BFANf@dessergroup.onetel.co.uk...
> After trying to secure a stand alone PC I have come to the conclusion that
> a user that is not a member of group Users, is nevertheless implicitly
> part of that group.
>
> Am I correct?
> --
> Les Desser
> (The Reply-to address IS valid)
Related resources
Anonymous
a b 8 Security
January 4, 2005 4:44:00 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <x5mCd.20234$wu4.14984@attbi_s52>, Steven L Umbach
<n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 01:14:05 writes

>Yes. Anyone who logs on locally for instance is a member of the
>authenticated users group which is a member of the users group. Use the
>" net localgroup users " to see that and use the gpresult support tool
>to see all the groups that a user is a member of.

At least that makes a bit more sense - see below

> Always be extremely carefully when configuring deny user rights when
>adding the users or everyone groups. Exactly what are you trying to
>secure?

I was trying to secure a stand alone W2K Pro PC so that a guest could
browse the web and play some mp3 files but nothing else.

I created a Visitors group and a Visitor user to be its member (rather
then using Gusts/Guest) and Visitor was not a member of Users and
nevertheless Visitor could go anywhere until I removed all permissions
for Users.

I cannot understand having such a security model where Users/User exist
and are granted permissions by default, but if membership of Users is
removed from a user it is STILL a member of Users.

If Users is something special then it should not be possible to assign a
user explicitly to the Users group - something that is done all over the
place by default.

You live and learn - thanks for the quick response. I see bringing
knowledge of a security model from elsewhere to Windows may be
dangerous.

I will pass your response on grc.techtalk where I have come from to get
this sorted.

Thanks again.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 4, 2005 6:32:31 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The fact that a user can not be removed from the user group is probably to
prevent denial of service attacks against the operating system similar in a
way that the built in administrator account can not be removed from the
local administrators group.

If you wish to restrict a user add that user to a group and then use
ntfs/registry permissions, user rights, and Group Policy to restrict the
user. It is more difficult to use Group Policy to lockdown a user/group on a
stand alone computer though as by default Group Policy applies to all local
users though there are hacks that can change the to exempt local users from
Group Policy. For instance you may be able to use Local Group Policy -
gpedit.msc and restrict the user via user configuration/administrative
tools/system where you can configure the setting for allowed Windows
applications. If left blank the user will only be able to logon to the
operating system and nothing else until you populate the allowed application
list which may be harder than expected as some applications depend on other
executables to run though filemon from SysInternals would be very helpful in
sorting that out. The guest account in Windows 2000 also will not save the
guest user profile when the guest logs off. --- Steve

http://www.jsiinc.com/sube/tip2400/rh2492.htm -- filtering local Group
Policy.

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:yhvaIKBgTf2BFArC@dessergroup.onetel.co.uk...
> In article <x5mCd.20234$wu4.14984@attbi_s52>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 01:14:05 writes
>
>>Yes. Anyone who logs on locally for instance is a member of the
>>authenticated users group which is a member of the users group. Use the "
>>net localgroup users " to see that and use the gpresult support tool to
>>see all the groups that a user is a member of.
>
> At least that makes a bit more sense - see below
>
>> Always be extremely carefully when configuring deny user rights when
>> adding the users or everyone groups. Exactly what are you trying to
>> secure?
>
> I was trying to secure a stand alone W2K Pro PC so that a guest could
> browse the web and play some mp3 files but nothing else.
>
> I created a Visitors group and a Visitor user to be its member (rather
> then using Gusts/Guest) and Visitor was not a member of Users and
> nevertheless Visitor could go anywhere until I removed all permissions for
> Users.
>
> I cannot understand having such a security model where Users/User exist
> and are granted permissions by default, but if membership of Users is
> removed from a user it is STILL a member of Users.
>
> If Users is something special then it should not be possible to assign a
> user explicitly to the Users group - something that is done all over the
> place by default.
>
> You live and learn - thanks for the quick response. I see bringing
> knowledge of a security model from elsewhere to Windows may be dangerous.
>
> I will pass your response on grc.techtalk where I have come from to get
> this sorted.
>
> Thanks again.
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 4, 2005 6:32:32 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:e7oCd.275281$5K2.222729@attbi_s03...
> The fact that a user can not be removed from the user group is probably to
> prevent denial of service attacks against the operating system similar in
a
> way that the built in administrator account can not be removed from the
> local administrators group.

Actually not all user are members of the Users group
and this is NOT a "special group" so any user not
a member of the group is not added dynamically.

Such groups include Everyone, Authenticated Users,
Interactive etc.

As Roger says, what you see is what you get EXCEPT
if one of these automatic (or a Global) group is a member
in which case you get all the (current) members of the
included group(s).

User's are added to Users automatically on creation
BY DEFAULT but it can be avoided with certain tools.

For instance the IIS anonymous group is added to Guests
instead.

You cannot remove someone from Users unless you first
get their "default group"(which is mostly for Macintosh
support) change to another group so this also means that
users must be a member of at least one group.
Anonymous
a b 8 Security
January 4, 2005 6:32:33 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Herb Martin" <news@LearnQuick.com> wrote in message
news:uTnGE8h8EHA.3012@TK2MSFTNGP09.phx.gbl...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:e7oCd.275281$5K2.222729@attbi_s03...
> > The fact that a user can not be removed from the user group is probably
to
> > prevent denial of service attacks against the operating system similar
in
> a
> > way that the built in administrator account can not be removed from the
> > local administrators group.
>
> Actually not all user are members of the Users group
> and this is NOT a "special group" so any user not
> a member of the group is not added dynamically.
>
> Such groups include Everyone, Authenticated Users,
> Interactive etc.
>
> As Roger says, what you see is what you get EXCEPT
> if one of these automatic (or a Global) group is a member
> in which case you get all the (current) members of the
> included group(s).
>
> User's are added to Users automatically on creation
> BY DEFAULT but it can be avoided with certain tools.
>
> For instance the IIS anonymous group is added to Guests
> instead.
>
> You cannot remove someone from Users unless you first
> get their "default group"(which is mostly for Macintosh
> support) change to another group so this also means that
> users must be a member of at least one group.
>


. . . for which purpose I sometimes define a Dummy group
that is not used anywhere, except to have accounts' Primary
Group set to Dummy so that they may be removed from their
default (at creation) Primay Group.

Generally I have found that if an account is to be used for
local logon (whether with keyboard or just by logon type)
then that account needs to be in Users (hence INTERACTIVE
being in Users is useful). However, the same does not hold
if the account is only going to make use of network logins.

--
Roger Abell
Anonymous
a b 8 Security
January 4, 2005 2:50:38 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes

>The membership in the Users group is only exactly what is shown when
>you view it. Now, in a default scenario you will see that Interactive
>and Authenticated Users are nested within Users.

Please do you have any pointers as to where I can see this on the system
or at least read about it.

> Due to these any account that logs in locally or any account that is
>authenticated (respectively) will become a Users member during that
>login/usage. These groups do not have to be nested within Users, but
>when removed one does need to understand what they have been enabling
>so that the parts of that which are needed can be provided.

More reading - groan! :) 

I am just a starter on the Windows security front, but as I see it:-

Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
it should not be possible to assign anyone to this group. What strange
mind thought up a structure that allows me to remove membership of a
user from a specific group, but the user still remains (in 99.99% of the
time) a member via a hidden route.

Also, why does Windows put every newly created user explicitly into the
Users group? - and thereby totally confuse poor punters like me.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 4, 2005 2:50:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you look at a Group with the Users and Groups tools
(Computer Manager) or AD Users/Computer or any
of the common line tools then "what you see if what
you get" as long as you FOLLOW any references to
other groups.

E.g., if GroupA includes GroupB, then the members
of GroupB are effectively members of GroupA.

--
Herb Martin


"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:T30y9wGOMo2BFA+A@dessergroup.onetel.co.uk...
> In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes
>
> >The membership in the Users group is only exactly what is shown when
> >you view it. Now, in a default scenario you will see that Interactive
> >and Authenticated Users are nested within Users.
>
> Please do you have any pointers as to where I can see this on the system
> or at least read about it.
>
> > Due to these any account that logs in locally or any account that is
> >authenticated (respectively) will become a Users member during that
> >login/usage. These groups do not have to be nested within Users, but
> >when removed one does need to understand what they have been enabling
> >so that the parts of that which are needed can be provided.
>
> More reading - groan! :) 
>
> I am just a starter on the Windows security front, but as I see it:-
>
> Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
> it should not be possible to assign anyone to this group. What strange
> mind thought up a structure that allows me to remove membership of a
> user from a specific group, but the user still remains (in 99.99% of the
> time) a member via a hidden route.
>
> Also, why does Windows put every newly created user explicitly into the
> Users group? - and thereby totally confuse poor punters like me.
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 4, 2005 3:01:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
<n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes

>If you wish to restrict a user add that user to a group and then use
>ntfs/registry permissions, user rights, and Group Policy
...[Snipped for later reading]

I have taken a different route - maybe causing some damage on the way.
(This is a holiday flat PC so I am not too concerned - more interested
in learning about security issues)

I have removed Users from all security permissions for all
drives/folders and have created my own group to allow a fine level of
control.

Securing Program Files and WINNT[1] took a bit of fiddling to allow
users to run applications.

My Visitor can now play mp3 files in a subfolder of drive to which they
are otherwise barred, and they are barred to all other drives but can
still browse the web and open applications. Other users seem to have
normal access.

[1] WINNT had separate security for each sub-folder - no inheritance. I
have changed that to inherit the settings from WINNT - we will see what
happens in the longer term.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 4, 2005 3:01:23 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
> In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
>
> >If you wish to restrict a user add that user to a group and then use
> >ntfs/registry permissions, user rights, and Group Policy
> ..[Snipped for later reading]
>
> I have taken a different route - maybe causing some damage on the way.
> (This is a holiday flat PC so I am not too concerned - more interested
> in learning about security issues)

> I have removed Users from all security permissions for all
> drives/folders and have created my own group to allow a fine level of
> control.
>

That's [the principle of giving correct permissions
rather than just defaults] is a really good practice but
few do it, and it can be frustrated by tools like Frontpage
will takes (has traditionally taken?) a very simplistic
attitude to setting the permissions on a web server.

Another good move is to substitute such groups for
most references to Everyone , or at least get
Authenticated Users substituted for it.

> Securing Program Files and WINNT[1] took a bit of fiddling to allow
> users to run applications.


> My Visitor can now play mp3 files in a subfolder of drive to which they
> are otherwise barred, and they are barred to all other drives but can
> still browse the web and open applications. Other users seem to have
> normal access.
>
> [1] WINNT had separate security for each sub-folder - no inheritance. I
> have changed that to inherit the settings from WINNT - we will see what
> happens in the longer term.


--
Herb Martin


> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 4, 2005 9:15:59 PM

Archived from groups: microsoft.public.win2000.security (More info?)

That can also work well using a different approach to the same strategy,
particularly on non system folders. I don't like fiddling with permissions
in the \winnt folder without a lot of testing and generally do not recommend
it. However I have not had problems with adding "authenticated users" to
system folder and then removing users and everyone [which NSA security guide
also recommends]. The IIS lockdown tool is interesting in that it will
create a new group and give that group deny permissions to many binaries in
the system folder and other folders on the computer. You can then add a user
to that folder to make sure they do not have access to those binaries [ping,
arp, attrib, etc]. The biggest problems usually arise with deny permissions
in that unintended users, such as administrators, also end up being
affected. Many also seem to forget that not having permissions is an
implicit deny. It is a good idea to take an image of a computer before doing
major changes to permissions. It takes me about 5 minutes to restore a 5 gig
partition from a Ghost image so that I can start over. If you want a good
book on configuring Windows security the Microsoft Windows Security Resource
Kit is a good read and you can buy one from one of the used book vendors on
Amazon for less than ten dollars. I buy a lot of books that way. Many are
books with a bent corner or such that can not be sold as new. For a non
Microsoft perspective the Hacking Exposed Windows 2003 is worth a read. ---
Steve


"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
> In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
>
>>If you wish to restrict a user add that user to a group and then use
>>ntfs/registry permissions, user rights, and Group Policy
> ..[Snipped for later reading]
>
> I have taken a different route - maybe causing some damage on the way.
> (This is a holiday flat PC so I am not too concerned - more interested in
> learning about security issues)
>
> I have removed Users from all security permissions for all drives/folders
> and have created my own group to allow a fine level of control.
>
> Securing Program Files and WINNT[1] took a bit of fiddling to allow users
> to run applications.
>
> My Visitor can now play mp3 files in a subfolder of drive to which they
> are otherwise barred, and they are barred to all other drives but can
> still browse the web and open applications. Other users seem to have
> normal access.
>
> [1] WINNT had separate security for each sub-folder - no inheritance. I
> have changed that to inherit the settings from WINNT - we will see what
> happens in the longer term.
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 4, 2005 9:16:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Along this line is a relatively advance technique where
a group is created (e.g., DenyModify) and everyone who
normally has Change permissions is added, e.g., for the
System32 folder this might be applied to ever EXE, DLL,
SYS, Drv, etc (exectuable) and contain the administrators
& even System so that on a "normal day" even admins
cannot update these files.

During upgrades -- one removes the admins or system
and then restores the group afterwards (the permissions
technically stay in effect the whole time on the files but
by logging on and off the admins effective permissions
change.)

Now, it might be the case that some virus, trojan, or
cracker might be able to work through this roadblock,
the practical effect is that practically none of them
will (be able to) do so.

--
Herb Martin


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:t3BCd.617183$wV.434580@attbi_s54...
> That can also work well using a different approach to the same strategy,
> particularly on non system folders. I don't like fiddling with permissions
> in the \winnt folder without a lot of testing and generally do not
recommend
> it. However I have not had problems with adding "authenticated users" to
> system folder and then removing users and everyone [which NSA security
guide
> also recommends]. The IIS lockdown tool is interesting in that it will
> create a new group and give that group deny permissions to many binaries
in
> the system folder and other folders on the computer. You can then add a
user
> to that folder to make sure they do not have access to those binaries
[ping,
> arp, attrib, etc]. The biggest problems usually arise with deny
permissions
> in that unintended users, such as administrators, also end up being
> affected. Many also seem to forget that not having permissions is an
> implicit deny. It is a good idea to take an image of a computer before
doing
> major changes to permissions. It takes me about 5 minutes to restore a 5
gig
> partition from a Ghost image so that I can start over. If you want a good
> book on configuring Windows security the Microsoft Windows Security
Resource
> Kit is a good read and you can buy one from one of the used book vendors
on
> Amazon for less than ten dollars. I buy a lot of books that way. Many are
> books with a bent corner or such that can not be sold as new. For a non
> Microsoft perspective the Hacking Exposed Windows 2003 is worth a
read. ---
> Steve
>
>
> "Les Desser" <NewsDump1@dessergroup.com> wrote in message
> news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
> > In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
> > <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
> >
> >>If you wish to restrict a user add that user to a group and then use
> >>ntfs/registry permissions, user rights, and Group Policy
> > ..[Snipped for later reading]
> >
> > I have taken a different route - maybe causing some damage on the way.
> > (This is a holiday flat PC so I am not too concerned - more interested
in
> > learning about security issues)
> >
> > I have removed Users from all security permissions for all
drives/folders
> > and have created my own group to allow a fine level of control.
> >
> > Securing Program Files and WINNT[1] took a bit of fiddling to allow
users
> > to run applications.
> >
> > My Visitor can now play mp3 files in a subfolder of drive to which they
> > are otherwise barred, and they are barred to all other drives but can
> > still browse the web and open applications. Other users seem to have
> > normal access.
> >
> > [1] WINNT had separate security for each sub-folder - no inheritance. I
> > have changed that to inherit the settings from WINNT - we will see what
> > happens in the longer term.
> > --
> > Les Desser
> > (The Reply-to address IS valid)
>
>
Anonymous
a b 8 Security
January 5, 2005 12:06:46 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
<news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes

>E.g., if GroupA includes GroupB, then the members of GroupB are
>effectively members of GroupA.

I vote that groups should not be able to include other groups :) 

I did write that rather tongue-in-cheek and from a standpoint of someone
who is a starter in the area of Windows security, but on further
reflection it has merit. There is a lot to be said for transparency and
once you embed groups within groups one starts to lose the picture
rather fast.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 12:58:34 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk>, Les Desser
<NewsDump1@dessergroup.com> Tue, 4 Jan 2005 12:01:22 writes

>I have taken a different route - maybe causing some damage on the way.
>(This is a holiday flat PC so I am not too concerned - more interested
>in learning about security issues)

Seems like I have done something :( 

As well as the Visitor user, I have created a standard user who is not a
member of Administrators.

When using that profile (as well as Visitors) I can no longer open .jpg
files. MS Photo Editor opens but then gives the error
"No file format information can be found in the Registry".

If I add that user to Administrators then it works - so it must be some
authority problem.

Thanks in anticipation.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 1:07:43 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I can see the point of view, but in larger environments
seeing that a groupX is composed of groupA, groupB,
and groupC, whereas groupY is composed of groupA
and groupD only is highly useful, where groupA, B, C,
D, etc. are fundemental categories of accounts, such as
by roles that they hold in the corp (or family).
The alternative, just seeing a long list of users in
groupX and groupY is error prone.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:xve6beFmVw2BFAas@dessergroup.onetel.co.uk...
> In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
> <news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes
>
> >E.g., if GroupA includes GroupB, then the members of GroupB are
> >effectively members of GroupA.
>
> I vote that groups should not be able to include other groups :) 
>
> I did write that rather tongue-in-cheek and from a standpoint of someone
> who is a starter in the area of Windows security, but on further
> reflection it has merit. There is a lot to be said for transparency and
> once you embed groups within groups one starts to lose the picture
> rather fast.
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 1:20:33 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:xve6beFmVw2BFAas@dessergroup.onetel.co.uk...
> In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
> <news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes
>
> >E.g., if GroupA includes GroupB, then the members of GroupB are
> >effectively members of GroupA.
>
> I vote that groups should not be able to include other groups :) 

Then you will hate NATIVE mode where they can be
arbitrarily nested, e.g., Global in Global ... in Universal
in Universal ... in Local ....

> I did write that rather tongue-in-cheek and from a standpoint of someone
> who is a starter in the area of Windows security, but on further
> reflection it has merit.

It is a practical necessity for large domains, but make
managing even a few hundred users much easier if
you design the structure well.

> There is a lot to be said for transparency and
> once you embed groups within groups one starts to lose the picture
> rather fast.

This probably stems from not setting up the groups
to follow a well-thought out picture -- design -- to
start.

Local groups REALLY represent "a collection of
resources/permissions and/or set of rights for doing
some job" while Global groups really should be
the ones that represent "a bunch of users who should
be given some privelege the same way."

None fo the books tell you that -- most authors
(and therefore admins) continue to think of Local
groups are primarily representing USERS instead
of a set of resources.
Anonymous
a b 8 Security
January 5, 2005 1:24:10 AM

Archived from groups: microsoft.public.win2000.security (More info?)

lusrmgr.msc run at a cmd prompt (as you refer to
c:\winnt should I assume this is Windows 2000?)
lets you see the group structure in all existing detail.

Originally Users only held accounts. Later MS invented
Interactive and Authenticated Users and nested these
within. This was as much as anything a response to the
fact that the OS had grown in ways such that if an account
was not a member of Users then things would fail in an
interactive login. It is not just the NTFS permissions in
the system folders, but also a matter of permissions on the
COM components and registry keys, where some grants are
to the Users group.

I think historically the intent was to have Guests, Users,
and Administrators with these three being allowed a tiered
increase in capability. However, thing were IMO not kept
fully clean, and for all practical purposes the distinction
between Guest and any Users member began lost and also
impossible for interactive login. In large part this was a
response to MS observing the common (and reasonable)
practice of removing the default grants to Everyone (which
used to allow Guest to function interactively).

By the way, although it looks like a group in the icon used,
System is best thought of not as a group but as an account.
I think it is treaded as a group because in a stand-alone install
the Local System account (which is used to fire up most of the
core components/services of the OS) is System, but once the
machine is joined to a domain then the domain\Machine$
account also is System.

Aside from accounts and normal groups, you will find some
"group-like" predefined principals used (Interactive, Network,
Authenticated Users, Creator Owner, etc.) whose membership
you cannot adjust. These are like place-holders which get
substitiuted with the "then current" account if the criteria of
the place being held are satisfied. If I have logged in as UserX
at the keyboard, then UserX actually appears in the security
access checks where Interactive is seen when viewing the
definitions, etc..

--
Roger
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:T30y9wGOMo2BFA+A@dessergroup.onetel.co.uk...
> In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes
>
> >The membership in the Users group is only exactly what is shown when
> >you view it. Now, in a default scenario you will see that Interactive
> >and Authenticated Users are nested within Users.
>
> Please do you have any pointers as to where I can see this on the system
> or at least read about it.
>
> > Due to these any account that logs in locally or any account that is
> >authenticated (respectively) will become a Users member during that
> >login/usage. These groups do not have to be nested within Users, but
> >when removed one does need to understand what they have been enabling
> >so that the parts of that which are needed can be provided.
>
> More reading - groan! :) 
>
> I am just a starter on the Windows security front, but as I see it:-
>
> Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
> it should not be possible to assign anyone to this group. What strange
> mind thought up a structure that allows me to remove membership of a
> user from a specific group, but the user still remains (in 99.99% of the
> time) a member via a hidden route.
>
> Also, why does Windows put every newly created user explicitly into the
> Users group? - and thereby totally confuse poor punters like me.
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 1:30:53 AM

Archived from groups: microsoft.public.win2000.security (More info?)

> Securing Program Files and WINNT[1] took a bit of fiddling to allow
> users to run applications.

Les, you will have also noticed that many of the individual files
have their NTFS permissions explicitly set also.

Let us know what OS version you are using, as things have changed
some between them, and we can refer you to the master file that is
used to set the install default permissions on these folders and files.
The template is actually just a plain text file, and one can do a global
replace on it to change the two characters representing "Users" with
the SID of the custom group - meaning one can come up with a template
that set security so that Users is not used but the custom group has the
settings instead. One can edit the template and then remove the
custom group from the items desired.

I do not really advocate doing this as a standard practice, and there
are so very many (and ill-documented) dependencies; but, the template
does provide for quick reproducability and so facilitate experimentation
especially if combined with something like VMware or VirtualPC where
you just make a copy of the base OS filetree, boot it, fool around, and
delete the copy when done if things are not liked or disasterous.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
> In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
> <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
>
> >If you wish to restrict a user add that user to a group and then use
> >ntfs/registry permissions, user rights, and Group Policy
> ..[Snipped for later reading]
>
> I have taken a different route - maybe causing some damage on the way.
> (This is a holiday flat PC so I am not too concerned - more interested
> in learning about security issues)
>
> I have removed Users from all security permissions for all
> drives/folders and have created my own group to allow a fine level of
> control.
>
> Securing Program Files and WINNT[1] took a bit of fiddling to allow
> users to run applications.
>
> My Visitor can now play mp3 files in a subfolder of drive to which they
> are otherwise barred, and they are barred to all other drives but can
> still browse the web and open applications. Other users seem to have
> normal access.
>
> [1] WINNT had separate security for each sub-folder - no inheritance. I
> have changed that to inherit the settings from WINNT - we will see what
> happens in the longer term.
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 11:10:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <#OdJRdu8EHA.3416@TK2MSFTNGP09.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:30:53 writes

>Les, you will have also noticed that many of the individual files have
>their NTFS permissions explicitly set also.
>
>Let us know what OS version you are using

W2K SP4

>, as things have changed some between them, and we can refer you to the
>master file that is used to set the install default permissions on
>these folders and files.

Thanks
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 11:27:35 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <#OdJRdu8EHA.3416@TK2MSFTNGP09.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:30:53 writes

>Les, you will have also noticed that many of the individual files have
>their NTFS permissions explicitly set also.
>
>Let us know what OS version you are using

W2K SP4

>, as things have changed some between them, and we can refer you to the
>master file that is used to set the install default permissions on
>these folders and files.

Thanks
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 11:27:47 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <umJHL7t8EHA.2196@TK2MSFTNGP11.phx.gbl>, Herb Martin
<news@LearnQuick.com> Tue, 4 Jan 2005 22:20:33 writes

>None fo the books tell you that -- most authors (and therefore admins)
>continue to think of Local groups are primarily representing USERS
>instead of a set of resources.

You have expressed my own thoughts in a few words - I just could not get
at the right ones.

Groups Users and Family (my invention - in case it actually exists) are
chalk and cheese.

Users is an attribute of a logged-on profile and not what I would call a
group. It should not be possible to put an actual user into group
Users. That is a bit like grouping the residents of the UK and putting
the Prime Minister in group Human :) 

I rest my case.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 11:30:52 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes

>I can see the point of view, but in larger environments seeing that a
>groupX is composed of groupA, groupB, and groupC, whereas groupY is
>composed of groupA and groupD only is highly useful, where groupA, B,
>C, D, etc. are fundemental categories of accounts, such as by roles
>that they hold in the corp (or family). The alternative, just seeing a
>long list of users in groupX and groupY is error prone.

I agree - I withdraw my original statement.

I just wish that that the definition of a group would not be muddied by
having special collections such as Users called the same as a group
created by human intelligence - see my reply to Herb a few minutes ago.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 5, 2005 11:30:53 PM

Archived from groups: microsoft.public.win2000.security (More info?)

> I just wish that that the definition of a group would not be muddied by
> having special collections such as Users called the same as a group
> created by human intelligence - see my reply to Herb a few minutes ago.

I would really need to disagree with this (false)
distinction -- Users is indeed in every sense a
Group.

It just happens to be a Built-In Group with built-in
behavior which can be critical to getting a system
to work by default.

Even Everyone is a group in the true sense although
this class has it's own name as well: Special Groups.

(Of course it isn't a very GOOD name <grin> and
should have been called Automatic or perhaps best
would have been Dynamic Groups since the OS
automatically assigns users to the special groups
automatically and dynamically when they meet
certain conditions.)

--
Herb Martin


"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
> In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
>
> >I can see the point of view, but in larger environments seeing that a
> >groupX is composed of groupA, groupB, and groupC, whereas groupY is
> >composed of groupA and groupD only is highly useful, where groupA, B,
> >C, D, etc. are fundemental categories of accounts, such as by roles
> >that they hold in the corp (or family). The alternative, just seeing a
> >long list of users in groupX and groupY is error prone.
>
> I agree - I withdraw my original statement.
>
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 6, 2005 2:49:14 AM

Archived from groups: microsoft.public.win2000.security (More info?)

As Herb indicated Users is a group.
Nothing magic about it. The membership of Users is
clearly viewable, and Users contains nothing other than
what is there, clearly viewable.

Today, the use made of Users would fit IMO fairly
closely to "the group that allows its members to log
into the machine at the keyboard and use it"
In other words, the Users group is pretty much the
grouping of accounts that can use the machine.

There are groups, just plain old normal groups,
like Users. These come in two forms. The predefined
groups and what I term custom groups which have been
defined by the user/owner of the machine.

There are a couple kinds of things that are used as if
they were groups and/or that function like groups, but
over the membership in which one has no control.
These are things like Everyone, Authenticated Users,
Interactive, Network, Anonymous Users, Creator Owner,
Creator Group, Self, . .. These all have set, defined
meanings and uses, which I believe you could discover
by reading into the Resource Kits.
www.reskits.com

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
> In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
>
> >I can see the point of view, but in larger environments seeing that a
> >groupX is composed of groupA, groupB, and groupC, whereas groupY is
> >composed of groupA and groupD only is highly useful, where groupA, B,
> >C, D, etc. are fundemental categories of accounts, such as by roles
> >that they hold in the corp (or family). The alternative, just seeing a
> >long list of users in groupX and groupY is error prone.
>
> I agree - I withdraw my original statement.
>
> I just wish that that the definition of a group would not be muddied by
> having special collections such as Users called the same as a group
> created by human intelligence - see my reply to Herb a few minutes ago.
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 6, 2005 3:51:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

For W2k the initial, install defaults for the security ACLs on reg vals,
folders, files, services, etc. are contained in the file setup security.inf
to be found in your c:\WINNT\security\templates folder.
If you look in this text file with notepad you will see many
lines in the [File Security] section that look like
8="c:\winnt", 2,
"D:p (A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)
(A;CIOI;GA;;;CO)(A;;GRGX;;;WD)"
The third and last of these is a string representation of an ACL
in a syntax called SDDL (security descriptor definition language,
about which you could search in msdn.microsoft.com for info)

The way to view what the settings actual mean is to
start / run mmc
and then under the file drop menu select to add/remove snapin
and then add to locate the Security Templates snapin.
Then, with an mmc console where you can look at templates
(these .inf files) you can open the template and see the settings
there translated into groups and the associated grants and also
inheritance. You would be snart to make a copy and do this on
the copy - as that would give you room to play.

In the SDDL above for the initial W2k permissions on winnt
dir, the initial D: means this part is the dacl (access rather than
audit ACL), the first () in it is (A;CIOI;GRGX;;;BU) which is
the spec for one ACE in the ACL, which A: Allows to Users
(the BU for built-in Users) generic read and generic execute
(the GRGX). The CIOI are specifying the inheritance attributes
of this ACE. The other principals in the remaining ACEs of
this ACL spec are PU=Power Users, BA=built-in Administrators,
SY=System, CO=Creator Owner, and WD=Everyone (aka world).

With the Security Templates snap-in it is not possible to change
the state of the running system. To do that one uses the Security
Configuration and Analysis snap-in, into which one Imports the
template (use caution, always Analyze first and consider before
doing an Apply).

If you wanted to alter all of these so that instead of granting to
Users the same would instead be granted to CustomGroup,
what one could do is
1. obtain the SID of CustomGroup
2. make a copy of this inf file, and trim out all sections except
those that you want to impact, for example trim out all except
for [File Security] (note: leave the intial header part, that is,
the [Unicode] and [Version] parts, and do not overlook removing
the seciton [Service General Setting] following files section)
3. do a global replace of BU with the SID of CustomGroup
When this altered template is applied, everyplace that there is a
grant to Users in the filesystem due to the original template's use
during intall will instead have the same grant made to CustomGroup
instead (the grant to Users will be gone). To reverse this, one
would import and apply the original template's [File Security] section.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:3J7bCLP32E3BFAxZ@dessergroup.onetel.co.uk...
> In article <#OdJRdu8EHA.3416@TK2MSFTNGP09.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:30:53 writes
>
> >Les, you will have also noticed that many of the individual files have
> >their NTFS permissions explicitly set also.
> >
> >Let us know what OS version you are using
>
> W2K SP4
>
> >, as things have changed some between them, and we can refer you to the
> >master file that is used to set the install default permissions on
> >these folders and files.
>
> Thanks
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 6, 2005 8:00:38 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
> As Herb indicated Users is a group.
> Nothing magic about it. The membership of Users is
> clearly viewable, and Users contains nothing other than
> what is there, clearly viewable.

Correct (and below too).

Strictly FYI: The names for the various group types are:

1) Built-in (Administrators, Users, Domain Admins...)
changeable but created and used by the system automatically

2) Groups (aka custom or user-defined Groups)

3) Special (dynamically assigned membership based on
current activity at the time the object resource is
OPENED -- e.g., Everyone, Network, Terminal Service
Users, Dialup Users (sp?) etc.

Groups MAY be divided into 2 or more categories:

a) Local (workstations or domain based)
b) Global (domain based only)
c) Universal (Win2000 Native mode or 2003 Server mode)


On workstations, all Built-in and user-defined Groups are
Local Groups only -- while on the domain groups can be either
Local, Global, or perhaps Universal groups.

No one knows whether Specical Groups are Global or
Local -- the really are neither, but have some of the
characteristics of each.

Technially, there is another Group type, a variation on
Local groups when the behavior changes after upgrading
the domain to Native+ mode: Domain Locals, which are
techically different than "plain Local groups on a domain"
in NT or Mixed etc mode.


--
Herb Martin


>
> Today, the use made of Users would fit IMO fairly
> closely to "the group that allows its members to log
> into the machine at the keyboard and use it"
> In other words, the Users group is pretty much the
> grouping of accounts that can use the machine.
>
> There are groups, just plain old normal groups,
> like Users. These come in two forms. The predefined
> groups and what I term custom groups which have been
> defined by the user/owner of the machine.
>
> There are a couple kinds of things that are used as if
> they were groups and/or that function like groups, but
> over the membership in which one has no control.
> These are things like Everyone, Authenticated Users,
> Interactive, Network, Anonymous Users, Creator Owner,
> Creator Group, Self, . .. These all have set, defined
> meanings and uses, which I believe you could discover
> by reading into the Resource Kits.
> www.reskits.com
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Les Desser" <NewsDump1@dessergroup.com> wrote in message
> news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
> > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
> > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
> >
> > >I can see the point of view, but in larger environments seeing that a
> > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
> > >composed of groupA and groupD only is highly useful, where groupA, B,
> > >C, D, etc. are fundemental categories of accounts, such as by roles
> > >that they hold in the corp (or family). The alternative, just seeing a
> > >long list of users in groupX and groupY is error prone.
> >
> > I agree - I withdraw my original statement.
> >
> > I just wish that that the definition of a group would not be muddied by
> > having special collections such as Users called the same as a group
> > created by human intelligence - see my reply to Herb a few minutes ago.
> > --
> > Les Desser
> > (The Reply-to address IS valid)
>
>
Anonymous
a b 8 Security
January 6, 2005 10:44:39 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Herb for the terminology breakdown.

It is with regret that I need mention for the OP that one will
find that the terms used by MS have "drifted" some over time.
For example, if one reads at
http://www.microsoft.com/resources/documentation/Window...
one will find a slight variation on these, and that all of the
"pre-defined"s get lumped together as the category
Built-in Security Principals, and reading on one finds at
http://www.microsoft.com/resources/documentation/Window...
some meanings for the common ones of these, where the OP
should notice that some are "group-like" and some are
"user-like". The first are dynamically managed collections
of accounts, while the second are placeholders used in ACLs
that get replace dynamically at runtime with the account in use
that meets their definition.

Perhaps we should note for the OP that "principal" is the
generic term used to indicate anything that can be a trustee,
that is, the object indicated as receiving or being denied a
security access grant (and similar with auditing).

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23j9oj%2398EHA.2180@TK2MSFTNGP12.phx.gbl...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
> > As Herb indicated Users is a group.
> > Nothing magic about it. The membership of Users is
> > clearly viewable, and Users contains nothing other than
> > what is there, clearly viewable.
>
> Correct (and below too).
>
> Strictly FYI: The names for the various group types are:
>
> 1) Built-in (Administrators, Users, Domain Admins...)
> changeable but created and used by the system automatically
>
> 2) Groups (aka custom or user-defined Groups)
>
> 3) Special (dynamically assigned membership based on
> current activity at the time the object resource is
> OPENED -- e.g., Everyone, Network, Terminal Service
> Users, Dialup Users (sp?) etc.
>
> Groups MAY be divided into 2 or more categories:
>
> a) Local (workstations or domain based)
> b) Global (domain based only)
> c) Universal (Win2000 Native mode or 2003 Server mode)
>
>
> On workstations, all Built-in and user-defined Groups are
> Local Groups only -- while on the domain groups can be either
> Local, Global, or perhaps Universal groups.
>
> No one knows whether Specical Groups are Global or
> Local -- the really are neither, but have some of the
> characteristics of each.
>
> Technially, there is another Group type, a variation on
> Local groups when the behavior changes after upgrading
> the domain to Native+ mode: Domain Locals, which are
> techically different than "plain Local groups on a domain"
> in NT or Mixed etc mode.
>
>
> --
> Herb Martin
>
>
> >
> > Today, the use made of Users would fit IMO fairly
> > closely to "the group that allows its members to log
> > into the machine at the keyboard and use it"
> > In other words, the Users group is pretty much the
> > grouping of accounts that can use the machine.
> >
> > There are groups, just plain old normal groups,
> > like Users. These come in two forms. The predefined
> > groups and what I term custom groups which have been
> > defined by the user/owner of the machine.
> >
> > There are a couple kinds of things that are used as if
> > they were groups and/or that function like groups, but
> > over the membership in which one has no control.
> > These are things like Everyone, Authenticated Users,
> > Interactive, Network, Anonymous Users, Creator Owner,
> > Creator Group, Self, . .. These all have set, defined
> > meanings and uses, which I believe you could discover
> > by reading into the Resource Kits.
> > www.reskits.com
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Les Desser" <NewsDump1@dessergroup.com> wrote in message
> > news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
> > > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
> > > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
> > >
> > > >I can see the point of view, but in larger environments seeing that a
> > > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
> > > >composed of groupA and groupD only is highly useful, where groupA, B,
> > > >C, D, etc. are fundemental categories of accounts, such as by roles
> > > >that they hold in the corp (or family). The alternative, just seeing
a
> > > >long list of users in groupX and groupY is error prone.
> > >
> > > I agree - I withdraw my original statement.
> > >
> > > I just wish that that the definition of a group would not be muddied
by
> > > having special collections such as Users called the same as a group
> > > created by human intelligence - see my reply to Herb a few minutes
ago.
> > > --
> > > Les Desser
> > > (The Reply-to address IS valid)
> >
> >
>
>
Anonymous
a b 8 Security
January 6, 2005 1:25:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

> Perhaps we should note for the OP that "principal" is the
> generic term used to indicate anything that can be a trustee,
> that is, the object indicated as receiving or being denied a
> security access grant (and similar with auditing).

Drift is bad <grin>

In fact, I strongly prefer the term "security principal"
as a generic term for Groups, Users, and Computer
accounts -- all of these can be granted or denid
permission and rights related to object access and to
system functions.

<irony>

Then there is the question of "Creator/Owner" which
Microsoft calls a special group (at times) and which
I have always considered a Special User.

But on logically grounds it does qualify as Special
Group of at most one user. Ok, there is the case
where it manages to represent the Administrators
group collectively and thereby destroys all our
preceptions about Group containment rules.

(BTW, I think the developers cheated by writing
some exceptions in the code for this stuff.)

</irony>

--
Herb Martin


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eAVrV3$8EHA.2900@TK2MSFTNGP09.phx.gbl...
> Thanks Herb for the terminology breakdown.
>
> It is with regret that I need mention for the OP that one will
> find that the terms used by MS have "drifted" some over time.
> For example, if one reads at
>
http://www.microsoft.com/resources/documentation/Window...
> one will find a slight variation on these, and that all of the
> "pre-defined"s get lumped together as the category
> Built-in Security Principals, and reading on one finds at
>
http://www.microsoft.com/resources/documentation/Window...
> some meanings for the common ones of these, where the OP
> should notice that some are "group-like" and some are
> "user-like". The first are dynamically managed collections
> of accounts, while the second are placeholders used in ACLs
> that get replace dynamically at runtime with the account in use
> that meets their definition.
>
> Perhaps we should note for the OP that "principal" is the
> generic term used to indicate anything that can be a trustee,
> that is, the object indicated as receiving or being denied a
> security access grant (and similar with auditing).
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%23j9oj%2398EHA.2180@TK2MSFTNGP12.phx.gbl...
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
> > > As Herb indicated Users is a group.
> > > Nothing magic about it. The membership of Users is
> > > clearly viewable, and Users contains nothing other than
> > > what is there, clearly viewable.
> >
> > Correct (and below too).
> >
> > Strictly FYI: The names for the various group types are:
> >
> > 1) Built-in (Administrators, Users, Domain Admins...)
> > changeable but created and used by the system automatically
> >
> > 2) Groups (aka custom or user-defined Groups)
> >
> > 3) Special (dynamically assigned membership based on
> > current activity at the time the object resource is
> > OPENED -- e.g., Everyone, Network, Terminal Service
> > Users, Dialup Users (sp?) etc.
> >
> > Groups MAY be divided into 2 or more categories:
> >
> > a) Local (workstations or domain based)
> > b) Global (domain based only)
> > c) Universal (Win2000 Native mode or 2003 Server mode)
> >
> >
> > On workstations, all Built-in and user-defined Groups are
> > Local Groups only -- while on the domain groups can be either
> > Local, Global, or perhaps Universal groups.
> >
> > No one knows whether Specical Groups are Global or
> > Local -- the really are neither, but have some of the
> > characteristics of each.
> >
> > Technially, there is another Group type, a variation on
> > Local groups when the behavior changes after upgrading
> > the domain to Native+ mode: Domain Locals, which are
> > techically different than "plain Local groups on a domain"
> > in NT or Mixed etc mode.
> >
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Today, the use made of Users would fit IMO fairly
> > > closely to "the group that allows its members to log
> > > into the machine at the keyboard and use it"
> > > In other words, the Users group is pretty much the
> > > grouping of accounts that can use the machine.
> > >
> > > There are groups, just plain old normal groups,
> > > like Users. These come in two forms. The predefined
> > > groups and what I term custom groups which have been
> > > defined by the user/owner of the machine.
> > >
> > > There are a couple kinds of things that are used as if
> > > they were groups and/or that function like groups, but
> > > over the membership in which one has no control.
> > > These are things like Everyone, Authenticated Users,
> > > Interactive, Network, Anonymous Users, Creator Owner,
> > > Creator Group, Self, . .. These all have set, defined
> > > meanings and uses, which I believe you could discover
> > > by reading into the Resource Kits.
> > > www.reskits.com
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Les Desser" <NewsDump1@dessergroup.com> wrote in message
> > > news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
> > > > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
> > > > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
> > > >
> > > > >I can see the point of view, but in larger environments seeing that
a
> > > > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
> > > > >composed of groupA and groupD only is highly useful, where groupA,
B,
> > > > >C, D, etc. are fundemental categories of accounts, such as by roles
> > > > >that they hold in the corp (or family). The alternative, just
seeing
> a
> > > > >long list of users in groupX and groupY is error prone.
> > > >
> > > > I agree - I withdraw my original statement.
> > > >
> > > > I just wish that that the definition of a group would not be muddied
> by
> > > > having special collections such as Users called the same as a group
> > > > created by human intelligence - see my reply to Herb a few minutes
> ago.
> > > > --
> > > > Les Desser
> > > > (The Reply-to address IS valid)
> > >
> > >
> >
> >
>
>
Anonymous
a b 8 Security
January 6, 2005 6:40:06 PM

Archived from groups: microsoft.public.win2000.security (More info?)

> (BTW, I think the developers cheated by writing
> some exceptions in the code for this stuff.)

<vbg> yea, rather certain they did.

For example, one sometimes sees in the docs the statement
that SYSTEM is a member of Administrators group, but that
this is just not shown in the user interface. (OK, so how does
a machine local group get nested into a machine local group?)

The Creator Owner "group" got only more clouded when
they introduced Creator Group "group".

I take a more simple approach. I think of things as Groups
if I can manage their membership, even though MS (at times)
would like some of these referenced as Built-in Groups.
To me, if I have defined it then it is a custom group and I just
say "custom group" if I want to emphasize this. Otherwise a
group is a group is good enough for me.

Then, I think of the rest (where I cannot manage the membership)
as either Special Groups (your dynamic groups which I find to be
an appealing terminology), or as placeholder principals. Then to
round things out, there are the Well Known SIDs.

Issues like the doc speaking of the SYSTEM account but the GUI
displaying the SYSTEM "account" often using the icon for a Group
does not help matters.

Maybe some day things will have completed evolution so that a
terminology that is both simple and sufficient can be established.

--
Roger

"Herb Martin" <news@LearnQuick.com> wrote in message
news:%23RSaVyA9EHA.936@TK2MSFTNGP12.phx.gbl...
>> Perhaps we should note for the OP that "principal" is the
>> generic term used to indicate anything that can be a trustee,
>> that is, the object indicated as receiving or being denied a
>> security access grant (and similar with auditing).
>
> Drift is bad <grin>
>
> In fact, I strongly prefer the term "security principal"
> as a generic term for Groups, Users, and Computer
> accounts -- all of these can be granted or denid
> permission and rights related to object access and to
> system functions.
>
> <irony>
>
> Then there is the question of "Creator/Owner" which
> Microsoft calls a special group (at times) and which
> I have always considered a Special User.
>
> But on logically grounds it does qualify as Special
> Group of at most one user. Ok, there is the case
> where it manages to represent the Administrators
> group collectively and thereby destroys all our
> preceptions about Group containment rules.
>
> (BTW, I think the developers cheated by writing
> some exceptions in the code for this stuff.)
>
> </irony>
>
> --
> Herb Martin
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:eAVrV3$8EHA.2900@TK2MSFTNGP09.phx.gbl...
>> Thanks Herb for the terminology breakdown.
>>
>> It is with regret that I need mention for the OP that one will
>> find that the terms used by MS have "drifted" some over time.
>> For example, if one reads at
>>
> http://www.microsoft.com/resources/documentation/Window...
>> one will find a slight variation on these, and that all of the
>> "pre-defined"s get lumped together as the category
>> Built-in Security Principals, and reading on one finds at
>>
> http://www.microsoft.com/resources/documentation/Window...
>> some meanings for the common ones of these, where the OP
>> should notice that some are "group-like" and some are
>> "user-like". The first are dynamically managed collections
>> of accounts, while the second are placeholders used in ACLs
>> that get replace dynamically at runtime with the account in use
>> that meets their definition.
>>
>> Perhaps we should note for the OP that "principal" is the
>> generic term used to indicate anything that can be a trustee,
>> that is, the object indicated as receiving or being denied a
>> security access grant (and similar with auditing).
>>
>> --
>> Roger Abell
>> Microsoft MVP (Windows Security)
>> MCSE (W2k3,W2k,Nt4) MCDBA
>> "Herb Martin" <news@LearnQuick.com> wrote in message
>> news:%23j9oj%2398EHA.2180@TK2MSFTNGP12.phx.gbl...
>> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> > news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
>> > > As Herb indicated Users is a group.
>> > > Nothing magic about it. The membership of Users is
>> > > clearly viewable, and Users contains nothing other than
>> > > what is there, clearly viewable.
>> >
>> > Correct (and below too).
>> >
>> > Strictly FYI: The names for the various group types are:
>> >
>> > 1) Built-in (Administrators, Users, Domain Admins...)
>> > changeable but created and used by the system automatically
>> >
>> > 2) Groups (aka custom or user-defined Groups)
>> >
>> > 3) Special (dynamically assigned membership based on
>> > current activity at the time the object resource is
>> > OPENED -- e.g., Everyone, Network, Terminal Service
>> > Users, Dialup Users (sp?) etc.
>> >
>> > Groups MAY be divided into 2 or more categories:
>> >
>> > a) Local (workstations or domain based)
>> > b) Global (domain based only)
>> > c) Universal (Win2000 Native mode or 2003 Server mode)
>> >
>> >
>> > On workstations, all Built-in and user-defined Groups are
>> > Local Groups only -- while on the domain groups can be either
>> > Local, Global, or perhaps Universal groups.
>> >
>> > No one knows whether Specical Groups are Global or
>> > Local -- the really are neither, but have some of the
>> > characteristics of each.
>> >
>> > Technially, there is another Group type, a variation on
>> > Local groups when the behavior changes after upgrading
>> > the domain to Native+ mode: Domain Locals, which are
>> > techically different than "plain Local groups on a domain"
>> > in NT or Mixed etc mode.
>> >
>> >
>> > --
>> > Herb Martin
>> >
>> >
>> > >
>> > > Today, the use made of Users would fit IMO fairly
>> > > closely to "the group that allows its members to log
>> > > into the machine at the keyboard and use it"
>> > > In other words, the Users group is pretty much the
>> > > grouping of accounts that can use the machine.
>> > >
>> > > There are groups, just plain old normal groups,
>> > > like Users. These come in two forms. The predefined
>> > > groups and what I term custom groups which have been
>> > > defined by the user/owner of the machine.
>> > >
>> > > There are a couple kinds of things that are used as if
>> > > they were groups and/or that function like groups, but
>> > > over the membership in which one has no control.
>> > > These are things like Everyone, Authenticated Users,
>> > > Interactive, Network, Anonymous Users, Creator Owner,
>> > > Creator Group, Self, . .. These all have set, defined
>> > > meanings and uses, which I believe you could discover
>> > > by reading into the Resource Kits.
>> > > www.reskits.com
>> > >
>> > > --
>> > > Roger Abell
>> > > Microsoft MVP (Windows Security)
>> > > MCSE (W2k3,W2k,Nt4) MCDBA
>> > > "Les Desser" <NewsDump1@dessergroup.com> wrote in message
>> > > news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
>> > > > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
>> > > > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
>> > > >
>> > > > >I can see the point of view, but in larger environments seeing
>> > > > >that
> a
>> > > > >groupX is composed of groupA, groupB, and groupC, whereas groupY
>> > > > >is
>> > > > >composed of groupA and groupD only is highly useful, where groupA,
> B,
>> > > > >C, D, etc. are fundemental categories of accounts, such as by
>> > > > >roles
>> > > > >that they hold in the corp (or family). The alternative, just
> seeing
>> a
>> > > > >long list of users in groupX and groupY is error prone.
>> > > >
>> > > > I agree - I withdraw my original statement.
>> > > >
>> > > > I just wish that that the definition of a group would not be
>> > > > muddied
>> by
>> > > > having special collections such as Users called the same as a group
>> > > > created by human intelligence - see my reply to Herb a few minutes
>> ago.
>> > > > --
>> > > > Les Desser
>> > > > (The Reply-to address IS valid)
>> > >
>> > >
>> >
>> >
>>
>>
>
>
Anonymous
a b 8 Security
January 6, 2005 11:46:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <uOA16728EHA.3988@TK2MSFTNGP10.phx.gbl>, Herb Martin
<news@LearnQuick.com> Wed, 5 Jan 2005 15:29:59 writes

>> I just wish that that the definition of a group would not be muddied by
>> having special collections such as Users called the same as a group
>> created by human intelligence - see my reply to Herb a few minutes ago.
>
>I would really need to disagree with this (false) distinction -- Users
>is indeed in every sense a Group.
>
>It just happens to be a Built-In Group with built-in behavior which can
>be critical to getting a system to work by default.
>
>Even Everyone is a group in the true sense although this class has it's
>own name as well: Special Groups.

OK - point taken, but can you justify setting a user explicitly as a
member of Users (and this the default) when they are anyway a member of
Users - not to mention the confusion to the poor punter like me, who
expects that if I then remove a user from being a member of Users then
he stops being a member of Users.

(Maybe I just need to go to someone to knock the sense out of me :( 
After working 20+ years with the AS/400 [1] I find I must learn to stop
thinking logically)
>
>(Of course it isn't a very GOOD name <grin> and should have been called
>Automatic or perhaps best would have been Dynamic Groups since the OS
>automatically assigns users to the special groups automatically and
>dynamically when they meet certain conditions.)

[1] For those not that old, the AS/400 (and its parent the S/38) were
first designed by a group of academics, the operating system was then
written, and the hardware (microcode) built to satisfy the needs of the
OS. Ahhh - those were the days :) 
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 6, 2005 11:46:57 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:ymmqZ4IAPa3BFAzf@dessergroup.onetel.co.uk...
> In article <uOA16728EHA.3988@TK2MSFTNGP10.phx.gbl>, Herb Martin
> <news@LearnQuick.com> Wed, 5 Jan 2005 15:29:59 writes
>
> >> I just wish that that the definition of a group would not be muddied by
> >> having special collections such as Users called the same as a group
> >> created by human intelligence - see my reply to Herb a few minutes ago.
> >
> >I would really need to disagree with this (false) distinction -- Users
> >is indeed in every sense a Group.
> >
> >It just happens to be a Built-In Group with built-in behavior which can
> >be critical to getting a system to work by default.
> >
> >Even Everyone is a group in the true sense although this class has it's
> >own name as well: Special Groups.
>
> OK - point taken, but can you justify setting a user explicitly as a
> member of Users (and this the default) when they are anyway a member of
> Users
An account is automatically added to users as a part of the
process of defining the new account.
Hence, you do not need to add it to Users unless you have
removed it and want to readd it.

> - not to mention the confusion to the poor punter like me, who
> expects that if I then remove a user from being a member of Users then
> he stops being a member of Users.
>
Once more, if you do not let INTERACTIVE and/or Authenticated Users
be a member of Users, then removing an account from the Users group
does in fact stop that account from being a member of Users.
If INTERACTIVE is a member of Users, then as soon as an account
has logged in locally INTERACTIVE is replaced by that account,
making the account a member of Users. Similarly with Authenticated
Users, except that as soon as an account has authenticated it becomes
a member of Authenticated Users, and hence of Users.
You can remove these from Users if you do not want this behavior.

> (Maybe I just need to go to someone to knock the sense out of me :( 
> After working 20+ years with the AS/400 [1] I find I must learn to stop
> thinking logically)
It is actually very logical as it is. Having run VM/CMS for many years
in the distant past I would venture to say that it is equally logical as
A, B, . . . G is (was) there and that the Windows way is more well
ordered and mathematical.

> >
> >(Of course it isn't a very GOOD name <grin> and should have been called
> >Automatic or perhaps best would have been Dynamic Groups since the OS
> >automatically assigns users to the special groups automatically and
> >dynamically when they meet certain conditions.)
>
> [1] For those not that old, the AS/400 (and its parent the S/38) were
> first designed by a group of academics, the operating system was then
> written, and the hardware (microcode) built to satisfy the needs of the
> OS. Ahhh - those were the days :) 
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 6, 2005 11:47:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <eUD7OQ88EHA.2572@tk2msftngp13.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Thu, 6 Jan 2005 00:51:04 writes

>For W2k the initial, install defaults for the security ACLs on reg
>vals, folders, files, services, etc. are contained in the file setup
>security.inf to be found in your c:\WINNT\security\templates folder.

[Snip wealth of info]

I have got as far as installing the snap-in and viewing the template -
(interesting how a messy text file can look so nice when present via
GUI)

I have saved your post and will work at it later - many thanks.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 6, 2005 11:47:13 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Good luck Les - there is a lot of technology there.
If you seach on Security Configuration Toolset, and
similar on the MS site you will likely find some step by
steps on using the snap-ins.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:o mCsZRJQPa3BFAxJ@dessergroup.onetel.co.uk...
> In article <eUD7OQ88EHA.2572@tk2msftngp13.phx.gbl>, Roger Abell
> <mvpNOSpam@asu.edu> Thu, 6 Jan 2005 00:51:04 writes
>
>>For W2k the initial, install defaults for the security ACLs on reg vals,
>>folders, files, services, etc. are contained in the file setup
>>security.inf to be found in your c:\WINNT\security\templates folder.
>
> [Snip wealth of info]
>
> I have got as far as installing the snap-in and viewing the template -
> (interesting how a messy text file can look so nice when present via GUI)
>
> I have saved your post and will work at it later - many thanks.
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 7, 2005 12:24:44 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <#j9oj#98EHA.2180@TK2MSFTNGP12.phx.gbl>, Herb Martin
<news@LearnQuick.com> Thu, 6 Jan 2005 05:00:38 writes

>"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
>> As Herb indicated Users is a group.
>> Nothing magic about it. The membership of Users is
>> clearly viewable, and Users contains nothing other than
>> what is there, clearly viewable.

Yes but not so clear...

I see a list of users (which no longer exist on my system) followed by

NT AUTHORITY\Authenticated Users (S-1-5-11)
NT AUTHORITY\INTERACTIVE (S-1-5-4)

(not sure of the bits in brackets)

I accept that for the initiated, they know that when I remove Les from
group Users, Les is STILL a members of Users because he is an
Authenticated User ... Had Les never been or allowed to be an explicit
member of Users then I think I would have cottoned on to what was going
on.

After further messing about I can give a little ground :)  I see that
the two entries above can be merrily deleted from Users - and I think an
early responder to my initial post mentioned that the default structure
could be changed.

So I can see that if that were the case then adding individual users
into Users would have meaning.

I see I have stepped into a minefield - and the quicker I depart the
healthier it would be :) 

But seriously, I have learnt a lot (obviously only a little of what
there is to know) and would thank all for the detailed posts - several
of which followed this one.
>
[Snip details]

I have kept this and several other posts for further reading. Should
keep me out of mischief for a while.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 7, 2005 12:24:45 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:xmRqpBLcya3BFASf@dessergroup.onetel.co.uk...
> In article <#j9oj#98EHA.2180@TK2MSFTNGP12.phx.gbl>, Herb Martin
> <news@LearnQuick.com> Thu, 6 Jan 2005 05:00:38 writes
>
> >"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
> >> As Herb indicated Users is a group.
> >> Nothing magic about it. The membership of Users is
> >> clearly viewable, and Users contains nothing other than
> >> what is there, clearly viewable.
>
> Yes but not so clear...
>
> I see a list of users (which no longer exist on my system) followed by
>
> NT AUTHORITY\Authenticated Users (S-1-5-11)
> NT AUTHORITY\INTERACTIVE (S-1-5-4)
>
> (not sure of the bits in brackets)
>

They are called the SIDs. These are the true, unique interal identifier
of the principal. In the case of these two, these are "well known sids"
which means that they are the same on any instance of Windows.
Most SIDs have a part in them that makes them uniquely tied to only
one instance of installed Windows.

> I accept that for the initiated, they know that when I remove Les from
> group Users, Les is STILL a members of Users because he is an
> Authenticated User ... Had Les never been or allowed to be an explicit
> member of Users then I think I would have cottoned on to what was going
> on.
>
> After further messing about I can give a little ground :)  I see that
> the two entries above can be merrily deleted from Users - and I think an
> early responder to my initial post mentioned that the default structure
> could be changed.

That would be me . . .
I also cautioned that one may need to make sure that the parts, if any,
of what these were doing and which one desired to retain would need
to be otherwise provided for.
For example, if you remove these from Users, then on XP or W2k3 if
you were to enable the Guest account and allow it to log in locally you
would find that the log would be unsuccessful, unless you either added
one of these back into Users or explicitly added Guest to Users.

In early NT 4 these were not members of Users - that installation default
membership of Users started with the release of W2k.
>
> So I can see that if that were the case then adding individual users
> into Users would have meaning.
>
> I see I have stepped into a minefield - and the quicker I depart the
> healthier it would be :) 
>

Not necessarily. You have likely learned a little of this OS and of
its history. Further, you have expressed such that I can see that we
agree on this. I have for years been very vocal with MS that having
these two in the default membership of Users is wrong, that it obviates
just what Users should be about, and that it make extra work for corps
where specific accounts and only those accounts are supposed to be
allowed to log in at specific machines.

> But seriously, I have learnt a lot (obviously only a little of what
> there is to know) and would thank all for the detailed posts - several
> of which followed this one.

No problem Les. It has been sort of a fun exchange.

> >
> [Snip details]
>
> I have kept this and several other posts for further reading. Should
> keep me out of mischief for a while.
. . . and if they do not, just remember the link
www.reskits.com
--
ra
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 7, 2005 3:15:33 AM

Archived from groups: microsoft.public.win2000.security (More info?)

> >Even Everyone is a group in the true sense although this class has it's
> >own name as well: Special Groups.
>
> OK - point taken, but can you justify setting a user explicitly as a
> member of Users (and this the default) when they are anyway a member of
> Users - not to mention the confusion to the poor punter like me, who
> expects that if I then remove a user from being a member of Users then
> he stops being a member of Users.

But that is precisely what Microsoft has done once you
realize that all privileges SHOULD be give through a
group, Users is a group which by default holds all
ordinary User accounts, and this Users group is used
to give the standard permissions needed to "Use the
system(s)".

Maybe a better, i.e., more specific, name -- and I am
a big proponent of proper naming -- could have been
chosen but I cannot think of a better name offhand.

(Site Link Bridges ARE misnamed, the "Local" Special
group is slightly misnamed - it should have been Direct
in contrast to Network or some such.)

> (Maybe I just need to go to someone to knock the sense out of me :( 
> After working 20+ years with the AS/400 [1] I find I must learn to stop
> thinking logically)

This is perfectly logical -- an account does not necessarily
have to be a "user" -- it might be a service or an anonymous
type account.

It is the membership in Users that makes a user-type account
a "User" or the Computer or Domain computers in general.


--
Herb Martin


"Les Desser" <NewsDump1@dessergroup.com> wrote in message
news:ymmqZ4IAPa3BFAzf@dessergroup.onetel.co.uk...
> In article <uOA16728EHA.3988@TK2MSFTNGP10.phx.gbl>, Herb Martin
> <news@LearnQuick.com> Wed, 5 Jan 2005 15:29:59 writes
>
> >> I just wish that that the definition of a group would not be muddied by
> >> having special collections such as Users called the same as a group
> >> created by human intelligence - see my reply to Herb a few minutes ago.
> >
> >I would really need to disagree with this (false) distinction -- Users
> >is indeed in every sense a Group.
> >
> >It just happens to be a Built-In Group with built-in behavior which can
> >be critical to getting a system to work by default.
> >
> >Even Everyone is a group in the true sense although this class has it's
> >own name as well: Special Groups.
>
> OK - point taken, but can you justify setting a user explicitly as a
> member of Users (and this the default) when they are anyway a member of
> Users - not to mention the confusion to the poor punter like me, who
> expects that if I then remove a user from being a member of Users then
> he stops being a member of Users.
>
> (Maybe I just need to go to someone to knock the sense out of me :( 
> After working 20+ years with the AS/400 [1] I find I must learn to stop
> thinking logically)
> >
> >(Of course it isn't a very GOOD name <grin> and should have been called
> >Automatic or perhaps best would have been Dynamic Groups since the OS
> >automatically assigns users to the special groups automatically and
> >dynamically when they meet certain conditions.)
>
> [1] For those not that old, the AS/400 (and its parent the S/38) were
> first designed by a group of academics, the operating system was then
> written, and the hardware (microcode) built to satisfy the needs of the
> OS. Ahhh - those were the days :) 
> --
> Les Desser
> (The Reply-to address IS valid)
Anonymous
a b 8 Security
January 7, 2005 3:17:42 AM

Archived from groups: microsoft.public.win2000.security (More info?)

> An account is automatically added to users as a part of the
> process of defining the new account.
> Hence, you do not need to add it to Users unless you have
> removed it and want to readd it.

Yes, and only (somewhat) knowledgeable people (e.g.,
experts or at least tyros who think themselves experts
<grin>) can get a user account out of Users.
Anonymous
a b 8 Security
January 7, 2005 3:26:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:o jp$sCE9EHA.1392@tk2msftngp13.phx.gbl...

<snip stuff>

> I take a more simple approach. I think of things as Groups
> if I can manage their membership, even though MS (at times)
> would like some of these referenced as Built-in Groups.

I do this OR if it can be managed like a group in the sense
that I can put it into other groups, assign it permissions etc,
and it represents conceptionally 1 or more unnamed users.

This is of course Microsoft's long standard practice of
including Special Groups in the group types discussion.

> To me, if I have defined it then it is a custom group and I just
> say "custom group" if I want to emphasize this. Otherwise a
> group is a group is good enough for me.

Yes, I seldom need to say "user/admin defined or custom"
group.

> Then, I think of the rest (where I cannot manage the membership)
> as either Special Groups (your dynamic groups which I find to be
> an appealing terminology), or as placeholder principals. Then to
> round things out, there are the Well Known SIDs.

Yes, dynamic groups says it much more clearly -- WHY it is
special.

> Issues like the doc speaking of the SYSTEM account but the GUI
> displaying the SYSTEM "account" often using the icon for a Group
> does not help matters.

Never noticed that.

Of course I may be one of the few people that regularly
assigne or (more likely) DENIES access to System. <grin>

> Maybe some day things will have completed evolution so that a
> terminology that is both simple and sufficient can be established.

Actually it would hurt. Usually once a bad terminology
"sticks" it is worse to change it because then you have
the "bad terminology" and the new "good stuff" and not
only do you now have to explain the bad but explain how
it is the same as the good.

A current peeve of mine is the (correct) renaming of Primary
vs. Active Directory Integrated zone type, into Primaries
that are either "standard" or "AD integrated" .

I WOULD HAVE preferred the latter had it been used at
first - but now it just adds to the confusion.

Of course "Site Link Bridge" is so misleading that I TEACH
everyone to mentally rename it to Site Link Bridge-Group,
or Bridge-Grouping to help clarify what it does.
Anonymous
a b 8 Security
January 7, 2005 5:20:28 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I am not so sure as to how much trouble in the life of the software
result from living with bad maning conventions as compared to
having new/appropriate ones (for a time) co-exist with the ones
that are being aged out.

The ambiguity you mention on primary DNS zones, the ones that
are standard primary and the ones that are AD integrated has always
existed. I struggled with this very thing when writing Windows
2000 DNS in late 1999, eventually deciding on the tactic used just
now. If it is SOA it is primary - whether AD integrated or not, and
if not then use the "std" adjective to indicate old-school, bind type
semantics.

Sometimes I am tempted to distinguish the "special" principals
based on whether they, like Authenticated Users, cause an addition
to the user token, or whether they really are only used on the objects
being secured where they are interpreted with "special handling".
However, that is just too deep for practical, daily use.

I believe that we have the term "special" principals and "special"
groups because the naming originated with the dev from a dev
mentality - they had to right one-off, special case code to handle.

Oh, and speaking of pet peeves, my newest, as of today is the
"Malicious Software" Removal Tool, or was that the Malicious
"Software Removal" Tool ??

In future you will likely see me using the term dynamic and/or
synonomously automatic for the groups of type we have here
discussed. It is meaningful, and distinguishes well the category
from what I have terms a (normal, custom or not) group.

--
Roger

"Herb Martin" <news@LearnQuick.com> wrote in message
news:o o0bnII9EHA.3592@TK2MSFTNGP09.phx.gbl...
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:o jp$sCE9EHA.1392@tk2msftngp13.phx.gbl...
>
> <snip stuff>
>
> > I take a more simple approach. I think of things as Groups
> > if I can manage their membership, even though MS (at times)
> > would like some of these referenced as Built-in Groups.
>
> I do this OR if it can be managed like a group in the sense
> that I can put it into other groups, assign it permissions etc,
> and it represents conceptionally 1 or more unnamed users.
>
> This is of course Microsoft's long standard practice of
> including Special Groups in the group types discussion.
>
> > To me, if I have defined it then it is a custom group and I just
> > say "custom group" if I want to emphasize this. Otherwise a
> > group is a group is good enough for me.
>
> Yes, I seldom need to say "user/admin defined or custom"
> group.
>
> > Then, I think of the rest (where I cannot manage the membership)
> > as either Special Groups (your dynamic groups which I find to be
> > an appealing terminology), or as placeholder principals. Then to
> > round things out, there are the Well Known SIDs.
>
> Yes, dynamic groups says it much more clearly -- WHY it is
> special.
>
> > Issues like the doc speaking of the SYSTEM account but the GUI
> > displaying the SYSTEM "account" often using the icon for a Group
> > does not help matters.
>
> Never noticed that.
>
> Of course I may be one of the few people that regularly
> assigne or (more likely) DENIES access to System. <grin>
>
> > Maybe some day things will have completed evolution so that a
> > terminology that is both simple and sufficient can be established.
>
> Actually it would hurt. Usually once a bad terminology
> "sticks" it is worse to change it because then you have
> the "bad terminology" and the new "good stuff" and not
> only do you now have to explain the bad but explain how
> it is the same as the good.
>
> A current peeve of mine is the (correct) renaming of Primary
> vs. Active Directory Integrated zone type, into Primaries
> that are either "standard" or "AD integrated" .
>
> I WOULD HAVE preferred the latter had it been used at
> first - but now it just adds to the confusion.
>
> Of course "Site Link Bridge" is so misleading that I TEACH
> everyone to mentally rename it to Site Link Bridge-Group,
> or Bridge-Grouping to help clarify what it does.
>
>
Anonymous
a b 8 Security
January 7, 2005 1:34:48 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uzB90mJ9EHA.3320@TK2MSFTNGP10.phx.gbl...
> I am not so sure as to how much trouble in the life of the software
> result from living with bad maning conventions as compared to
> having new/appropriate ones (for a time) co-exist with the ones
> that are being aged out.
>
> The ambiguity you mention on primary DNS zones, the ones that
> are standard primary and the ones that are AD integrated has always
> existed. I struggled with this very thing when writing Windows
> 2000 DNS in late 1999, eventually deciding on the tactic used just
> now. If it is SOA it is primary - whether AD integrated or not, and
> if not then use the "std" adjective to indicate old-school, bind type
> semantics.

RE: "If it is SOA it is primary" -- What do you mean specifically
by this phrase?

(I have corrected similar terminology in the past, so I would
like to know what that means before agreeing or disagreeing.)

All DNS servers that hold the zone have an SOA record and
are authoritative for the zone (ok, ignoring Stub zones for now.)

> Sometimes I am tempted to distinguish the "special" principals
> based on whether they, like Authenticated Users, cause an addition
> to the user token, or whether they really are only used on the objects
> being secured where they are interpreted with "special handling".
> However, that is just too deep for practical, daily use.

Yes, it would help no one except system programmers who
really have no problem with the distinctions to begin with.

> Oh, and speaking of pet peeves, my newest, as of today is the
> "Malicious Software" Removal Tool, or was that the Malicious
> "Software Removal" Tool ??

You probably would get a kick out of noticing the
breakdown (pun intended) of the following profession:

psycho-the-rapist

> In future you will likely see me using the term dynamic and/or
> synonomously automatic for the groups of type we have here
> discussed.

I don't usually, even though I invented the terms because
then I must explain the standard Microsoft terminology too.

Generally when teaching about those I do mention these
names (dynamic or automatic) would have been better
choices.

> It is meaningful, and distinguishes well the category
> from what I have terms a (normal, custom or not) group.

Yes, many times just mentioning the better name choices
is also someone needs to latch onto the correct idea and
accept the clumsy name as-is.

For SiteLinkBridge(Groups) and Superscope(Groups)
I try to get everyone to ALWAYS append the word
Groups (or Grouping etc) to the name so as to remember
precisely what they do.


--
Herb Martin


>
> --
> Roger
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:o o0bnII9EHA.3592@TK2MSFTNGP09.phx.gbl...
> > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > news:o jp$sCE9EHA.1392@tk2msftngp13.phx.gbl...
> >
> > <snip stuff>
> >
> > > I take a more simple approach. I think of things as Groups
> > > if I can manage their membership, even though MS (at times)
> > > would like some of these referenced as Built-in Groups.
> >
> > I do this OR if it can be managed like a group in the sense
> > that I can put it into other groups, assign it permissions etc,
> > and it represents conceptionally 1 or more unnamed users.
> >
> > This is of course Microsoft's long standard practice of
> > including Special Groups in the group types discussion.
> >
> > > To me, if I have defined it then it is a custom group and I just
> > > say "custom group" if I want to emphasize this. Otherwise a
> > > group is a group is good enough for me.
> >
> > Yes, I seldom need to say "user/admin defined or custom"
> > group.
> >
> > > Then, I think of the rest (where I cannot manage the membership)
> > > as either Special Groups (your dynamic groups which I find to be
> > > an appealing terminology), or as placeholder principals. Then to
> > > round things out, there are the Well Known SIDs.
> >
> > Yes, dynamic groups says it much more clearly -- WHY it is
> > special.
> >
> > > Issues like the doc speaking of the SYSTEM account but the GUI
> > > displaying the SYSTEM "account" often using the icon for a Group
> > > does not help matters.
> >
> > Never noticed that.
> >
> > Of course I may be one of the few people that regularly
> > assigne or (more likely) DENIES access to System. <grin>
> >
> > > Maybe some day things will have completed evolution so that a
> > > terminology that is both simple and sufficient can be established.
> >
> > Actually it would hurt. Usually once a bad terminology
> > "sticks" it is worse to change it because then you have
> > the "bad terminology" and the new "good stuff" and not
> > only do you now have to explain the bad but explain how
> > it is the same as the good.
> >
> > A current peeve of mine is the (correct) renaming of Primary
> > vs. Active Directory Integrated zone type, into Primaries
> > that are either "standard" or "AD integrated" .
> >
> > I WOULD HAVE preferred the latter had it been used at
> > first - but now it just adds to the confusion.
> >
> > Of course "Site Link Bridge" is so misleading that I TEACH
> > everyone to mentally rename it to Site Link Bridge-Group,
> > or Bridge-Grouping to help clarify what it does.
> >
> >
>
>
Anonymous
a b 8 Security
January 8, 2005 1:11:11 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Herb Martin" <news@LearnQuick.com> wrote in message
news:uzVCNgN9EHA.2032@tk2msftngp13.phx.gbl...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uzB90mJ9EHA.3320@TK2MSFTNGP10.phx.gbl...
> > I am not so sure as to how much trouble in the life of the software
> > result from living with bad maning conventions as compared to
> > having new/appropriate ones (for a time) co-exist with the ones
> > that are being aged out.
> >
> > The ambiguity you mention on primary DNS zones, the ones that
> > are standard primary and the ones that are AD integrated has always
> > existed. I struggled with this very thing when writing Windows
> > 2000 DNS in late 1999, eventually deciding on the tactic used just
> > now. If it is SOA it is primary - whether AD integrated or not, and
> > if not then use the "std" adjective to indicate old-school, bind type
> > semantics.
>
> RE: "If it is SOA it is primary" -- What do you mean specifically
> by this phrase?
>

If the zone holds an SOA record for the DNS server, then it is
primary on that DNS server. If not, it is not, and so is secondary.
Now, it turns out that the RFC allows for only one SOA and so
with AD integrated DNS zone one will see that the SOA resource
record is different on each DC where it is hosted as an AD
integrated primary zone. But, if a zone is in the DNS on a DC
or otherwise, and that server is not named in SOA resource record
in the zone data, then it is not primary (i.e. is secondary).

> (I have corrected similar terminology in the past, so I would
> like to know what that means before agreeing or disagreeing.)
>
> All DNS servers that hold the zone have an SOA record and
> are authoritative for the zone (ok, ignoring Stub zones for now.)
>

You may be thinking on NS records here . . .

> > Sometimes I am tempted to distinguish the "special" principals
> > based on whether they, like Authenticated Users, cause an addition
> > to the user token, or whether they really are only used on the objects
> > being secured where they are interpreted with "special handling".
> > However, that is just too deep for practical, daily use.
>
> Yes, it would help no one except system programmers who
> really have no problem with the distinctions to begin with.
>
> > Oh, and speaking of pet peeves, my newest, as of today is the
> > "Malicious Software" Removal Tool, or was that the Malicious
> > "Software Removal" Tool ??
>
> You probably would get a kick out of noticing the
> breakdown (pun intended) of the following profession:
>
> psycho-the-rapist
>

all these years and I have managed to not see that one . . .


> > In future you will likely see me using the term dynamic and/or
> > synonomously automatic for the groups of type we have here
> > discussed.
>
> I don't usually, even though I invented the terms because
> then I must explain the standard Microsoft terminology too.
>
> Generally when teaching about those I do mention these
> names (dynamic or automatic) would have been better
> choices.
>
> > It is meaningful, and distinguishes well the category
> > from what I have terms a (normal, custom or not) group.
>
> Yes, many times just mentioning the better name choices
> is also someone needs to latch onto the correct idea and
> accept the clumsy name as-is.
>
> For SiteLinkBridge(Groups) and Superscope(Groups)
> I try to get everyone to ALWAYS append the word
> Groups (or Grouping etc) to the name so as to remember
> precisely what they do.
>
>
> --
> Herb Martin
>
>
> >
> > --
> > Roger
> >
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:o o0bnII9EHA.3592@TK2MSFTNGP09.phx.gbl...
> > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > news:o jp$sCE9EHA.1392@tk2msftngp13.phx.gbl...
> > >
> > > <snip stuff>
> > >
> > > > I take a more simple approach. I think of things as Groups
> > > > if I can manage their membership, even though MS (at times)
> > > > would like some of these referenced as Built-in Groups.
> > >
> > > I do this OR if it can be managed like a group in the sense
> > > that I can put it into other groups, assign it permissions etc,
> > > and it represents conceptionally 1 or more unnamed users.
> > >
> > > This is of course Microsoft's long standard practice of
> > > including Special Groups in the group types discussion.
> > >
> > > > To me, if I have defined it then it is a custom group and I just
> > > > say "custom group" if I want to emphasize this. Otherwise a
> > > > group is a group is good enough for me.
> > >
> > > Yes, I seldom need to say "user/admin defined or custom"
> > > group.
> > >
> > > > Then, I think of the rest (where I cannot manage the membership)
> > > > as either Special Groups (your dynamic groups which I find to be
> > > > an appealing terminology), or as placeholder principals. Then to
> > > > round things out, there are the Well Known SIDs.
> > >
> > > Yes, dynamic groups says it much more clearly -- WHY it is
> > > special.
> > >
> > > > Issues like the doc speaking of the SYSTEM account but the GUI
> > > > displaying the SYSTEM "account" often using the icon for a Group
> > > > does not help matters.
> > >
> > > Never noticed that.
> > >
> > > Of course I may be one of the few people that regularly
> > > assigne or (more likely) DENIES access to System. <grin>
> > >
> > > > Maybe some day things will have completed evolution so that a
> > > > terminology that is both simple and sufficient can be established.
> > >
> > > Actually it would hurt. Usually once a bad terminology
> > > "sticks" it is worse to change it because then you have
> > > the "bad terminology" and the new "good stuff" and not
> > > only do you now have to explain the bad but explain how
> > > it is the same as the good.
> > >
> > > A current peeve of mine is the (correct) renaming of Primary
> > > vs. Active Directory Integrated zone type, into Primaries
> > > that are either "standard" or "AD integrated" .
> > >
> > > I WOULD HAVE preferred the latter had it been used at
> > > first - but now it just adds to the confusion.
> > >
> > > Of course "Site Link Bridge" is so misleading that I TEACH
> > > everyone to mentally rename it to Site Link Bridge-Group,
> > > or Bridge-Grouping to help clarify what it does.
> > >
> > >
> >
> >
>
>
Anonymous
a b 8 Security
January 8, 2005 6:19:12 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
> "Herb Martin" <news@LearnQuick.com> wrote in message
> > RE: "If it is SOA it is primary" -- What do you mean specifically
> > by this phrase?
> >
>
> If the zone holds an SOA record for the DNS server, then it is
> primary on that DNS server. If not, it is not, and so is secondary.

No, that is just wrong -- all secondaries hold a copy of
the SOA. This is part of the mistaken terminology (and
just an odd way of saying it) that I try to correct.

You know this if you think about your own secondaries
a momemt since all of them have that SOA record --
which like all other records on the secondary is not
editable.

In BIND, or any traditional DNS you also know that the
the "zone transfer" is a file transfer of the entire zone file,
including the SOA records which functions as the HEADER
record of the zone.

I see the problem below so keep reading please...

> Now, it turns out that the RFC allows for only one SOA and so
> with AD integrated DNS zone one will see that the SOA resource
> record is different on each DC where it is hosted as an AD
> integrated primary zone. But, if a zone is in the DNS on a DC
> or otherwise, and that server is not named in SOA resource record
> in the zone data, then it is not primary (i.e. is secondary).

Ok, you are confusing "named in [the] SOA" [as primary]
with "holds" the SOA record itself.

It's a poor distinction in any case since so many people are
already confused about SOA records in general (or know
nothing about them) and because they then extrapolate this
confusion to claim that Secondaries are (incorrectly) not
authoritative.

Traditionally the SOA record could only list one
"Primary server" because there was only one copy
of the replicated SOA record -- the same on all
authoritative servers.

Today, each DC may have an editable copy/version
and the option arose to suppress the replication of that
specific field even though other elements must be
replicated (responsible person, serial number, etc.)
to maintain the zone integrity.

There is a much simpler way, and that is if it the SOA
"editable" on that server it is one of the "set of Primary
servers".


--
Herb Martin
Anonymous
a b 8 Security
January 8, 2005 12:26:19 PM

Archived from groups: microsoft.public.win2000.security (More info?)

<quote>
the zone holds an SOA record for the DNS server
</quote>
"for the DNS server"
<quote>
Ok, you are confusing "named in [the] SOA" [as primary]
with "holds" the SOA record itself.
</quote>
No, I was NOT confusing them.
I was explicitly stating the they are the same
when the zone is primary.
<quote>
There is a much simpler way, and that is if it the SOA
"editable" on that server it is one of the "set of Primary
servers".
</quote>
which is exactly the effect of the server named in the
SOA being the server the zone copy is hosted on,
i.e.
"the zone holds an SOA record for the DNS server"

and, as an aside
<quote>
It's a poor distinction in any case since so many people are
already confused about SOA records in general (or know
nothing about them) and because they then extrapolate this
confusion to claim that Secondaries are (incorrectly) not
authoritative.
</quote>
Then they need to translate the S of SOA meaningfully,
and to understand that they are thinking of NS records.
--
Roger
"Herb Martin" <news@LearnQuick.com> wrote in message
news:eSO$mPW9EHA.3640@tk2msftngp13.phx.gbl...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > RE: "If it is SOA it is primary" -- What do you mean specifically
> > > by this phrase?
> > >
> >
> > If the zone holds an SOA record for the DNS server, then it is
> > primary on that DNS server. If not, it is not, and so is secondary.
>
> No, that is just wrong -- all secondaries hold a copy of
> the SOA. This is part of the mistaken terminology (and
> just an odd way of saying it) that I try to correct.
>
> You know this if you think about your own secondaries
> a momemt since all of them have that SOA record --
> which like all other records on the secondary is not
> editable.
>
> In BIND, or any traditional DNS you also know that the
> the "zone transfer" is a file transfer of the entire zone file,
> including the SOA records which functions as the HEADER
> record of the zone.
>
> I see the problem below so keep reading please...
>
> > Now, it turns out that the RFC allows for only one SOA and so
> > with AD integrated DNS zone one will see that the SOA resource
> > record is different on each DC where it is hosted as an AD
> > integrated primary zone. But, if a zone is in the DNS on a DC
> > or otherwise, and that server is not named in SOA resource record
> > in the zone data, then it is not primary (i.e. is secondary).
>
> Ok, you are confusing "named in [the] SOA" [as primary]
> with "holds" the SOA record itself.
>
> It's a poor distinction in any case since so many people are
> already confused about SOA records in general (or know
> nothing about them) and because they then extrapolate this
> confusion to claim that Secondaries are (incorrectly) not
> authoritative.
>
> Traditionally the SOA record could only list one
> "Primary server" because there was only one copy
> of the replicated SOA record -- the same on all
> authoritative servers.
>
> Today, each DC may have an editable copy/version
> and the option arose to suppress the replication of that
> specific field even though other elements must be
> replicated (responsible person, serial number, etc.)
> to maintain the zone integrity.
>
> There is a much simpler way, and that is if it the SOA
> "editable" on that server it is one of the "set of Primary
> servers".
>
>
> --
> Herb Martin
>
>
Anonymous
a b 8 Security
January 8, 2005 12:34:50 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Herb,

As an afterthough, I believe I see the source of our
linguistic confusion.
To me the SOA RR names the SOA.
So, saying that the SOA is the DNS server holding the zone
or
> If the zone holds an SOA record for the DNS server, then it is
> primary on that DNS server. If not, it is not, and so is secondary.
is absolutely correct and precise, as
> If the zone holds an SOA record for the DNS server
says, on the DNS server concerned, if the SOA RR names
that same DNS server as SOA

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Herb Martin" <news@LearnQuick.com> wrote in message
news:eSO$mPW9EHA.3640@tk2msftngp13.phx.gbl...
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > RE: "If it is SOA it is primary" -- What do you mean specifically
> > > by this phrase?
> > >
> >
> > If the zone holds an SOA record for the DNS server, then it is
> > primary on that DNS server. If not, it is not, and so is secondary.
>
> No, that is just wrong -- all secondaries hold a copy of
> the SOA. This is part of the mistaken terminology (and
> just an odd way of saying it) that I try to correct.
>
> You know this if you think about your own secondaries
> a momemt since all of them have that SOA record --
> which like all other records on the secondary is not
> editable.
>
> In BIND, or any traditional DNS you also know that the
> the "zone transfer" is a file transfer of the entire zone file,
> including the SOA records which functions as the HEADER
> record of the zone.
>
> I see the problem below so keep reading please...
>
> > Now, it turns out that the RFC allows for only one SOA and so
> > with AD integrated DNS zone one will see that the SOA resource
> > record is different on each DC where it is hosted as an AD
> > integrated primary zone. But, if a zone is in the DNS on a DC
> > or otherwise, and that server is not named in SOA resource record
> > in the zone data, then it is not primary (i.e. is secondary).
>
> Ok, you are confusing "named in [the] SOA" [as primary]
> with "holds" the SOA record itself.
>
> It's a poor distinction in any case since so many people are
> already confused about SOA records in general (or know
> nothing about them) and because they then extrapolate this
> confusion to claim that Secondaries are (incorrectly) not
> authoritative.
>
> Traditionally the SOA record could only list one
> "Primary server" because there was only one copy
> of the replicated SOA record -- the same on all
> authoritative servers.
>
> Today, each DC may have an editable copy/version
> and the option arose to suppress the replication of that
> specific field even though other elements must be
> replicated (responsible person, serial number, etc.)
> to maintain the zone integrity.
>
> There is a much simpler way, and that is if it the SOA
> "editable" on that server it is one of the "set of Primary
> servers".
>
>
> --
> Herb Martin
>
>
Anonymous
a b 8 Security
January 8, 2005 4:57:30 PM

Archived from groups: microsoft.public.win2000.security (More info?)

> No, I was NOT confusing them.
> I was explicitly stating the they are the same
> when the zone is primary.

Well, there is no way that only the Primary, and
not secondaries, has an SOA record.

The SOA is about the zone -- and the Secondaries
have a copy of this record.

That is mentions the Primary doesn't mean they
don't HOLD a copy.

--
Herb Martin


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:evo7a5Z9EHA.2316@TK2MSFTNGP15.phx.gbl...
> <quote>
> the zone holds an SOA record for the DNS server
> </quote>
> "for the DNS server"
> <quote>
> Ok, you are confusing "named in [the] SOA" [as primary]
> with "holds" the SOA record itself.
> </quote>
> No, I was NOT confusing them.
> I was explicitly stating the they are the same
> when the zone is primary.
> <quote>
> There is a much simpler way, and that is if it the SOA
> "editable" on that server it is one of the "set of Primary
> servers".
> </quote>
> which is exactly the effect of the server named in the
> SOA being the server the zone copy is hosted on,
> i.e.
> "the zone holds an SOA record for the DNS server"
>
> and, as an aside
> <quote>
> It's a poor distinction in any case since so many people are
> already confused about SOA records in general (or know
> nothing about them) and because they then extrapolate this
> confusion to claim that Secondaries are (incorrectly) not
> authoritative.
> </quote>
> Then they need to translate the S of SOA meaningfully,
> and to understand that they are thinking of NS records.
> --
> Roger
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eSO$mPW9EHA.3640@tk2msftngp13.phx.gbl...
> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
> > > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > > RE: "If it is SOA it is primary" -- What do you mean specifically
> > > > by this phrase?
> > > >
> > >
> > > If the zone holds an SOA record for the DNS server, then it is
> > > primary on that DNS server. If not, it is not, and so is secondary.
> >
> > No, that is just wrong -- all secondaries hold a copy of
> > the SOA. This is part of the mistaken terminology (and
> > just an odd way of saying it) that I try to correct.
> >
> > You know this if you think about your own secondaries
> > a momemt since all of them have that SOA record --
> > which like all other records on the secondary is not
> > editable.
> >
> > In BIND, or any traditional DNS you also know that the
> > the "zone transfer" is a file transfer of the entire zone file,
> > including the SOA records which functions as the HEADER
> > record of the zone.
> >
> > I see the problem below so keep reading please...
> >
> > > Now, it turns out that the RFC allows for only one SOA and so
> > > with AD integrated DNS zone one will see that the SOA resource
> > > record is different on each DC where it is hosted as an AD
> > > integrated primary zone. But, if a zone is in the DNS on a DC
> > > or otherwise, and that server is not named in SOA resource record
> > > in the zone data, then it is not primary (i.e. is secondary).
> >
> > Ok, you are confusing "named in [the] SOA" [as primary]
> > with "holds" the SOA record itself.
> >
> > It's a poor distinction in any case since so many people are
> > already confused about SOA records in general (or know
> > nothing about them) and because they then extrapolate this
> > confusion to claim that Secondaries are (incorrectly) not
> > authoritative.
> >
> > Traditionally the SOA record could only list one
> > "Primary server" because there was only one copy
> > of the replicated SOA record -- the same on all
> > authoritative servers.
> >
> > Today, each DC may have an editable copy/version
> > and the option arose to suppress the replication of that
> > specific field even though other elements must be
> > replicated (responsible person, serial number, etc.)
> > to maintain the zone integrity.
> >
> > There is a much simpler way, and that is if it the SOA
> > "editable" on that server it is one of the "set of Primary
> > servers".
> >
> >
> > --
> > Herb Martin
> >
> >
>
>
Anonymous
a b 8 Security
January 8, 2005 4:57:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It just seems to me now that you are confusing the
SOA with the SOA RR
All copies of the zone hold the SOA RR
Only on a primary does the SOA RR name that
DNS server as SOA
In Bindish DNS this happens on only one DNS server
whereas in MS AD integrated zones this happens on
all DCs where the zone is held AD integrated.
In all cases the zone is primary because the SOA
that is indicated in the SOA RR is the DNS server.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Herb Martin" <news@LearnQuick.com> wrote in message
news:o c1d%23zb9EHA.2032@tk2msftngp13.phx.gbl...
> > No, I was NOT confusing them.
> > I was explicitly stating the they are the same
> > when the zone is primary.
>
> Well, there is no way that only the Primary, and
> not secondaries, has an SOA record.
>
> The SOA is about the zone -- and the Secondaries
> have a copy of this record.
>
> That is mentions the Primary doesn't mean they
> don't HOLD a copy.
>
> --
> Herb Martin
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:evo7a5Z9EHA.2316@TK2MSFTNGP15.phx.gbl...
> > <quote>
> > the zone holds an SOA record for the DNS server
> > </quote>
> > "for the DNS server"
> > <quote>
> > Ok, you are confusing "named in [the] SOA" [as primary]
> > with "holds" the SOA record itself.
> > </quote>
> > No, I was NOT confusing them.
> > I was explicitly stating the they are the same
> > when the zone is primary.
> > <quote>
> > There is a much simpler way, and that is if it the SOA
> > "editable" on that server it is one of the "set of Primary
> > servers".
> > </quote>
> > which is exactly the effect of the server named in the
> > SOA being the server the zone copy is hosted on,
> > i.e.
> > "the zone holds an SOA record for the DNS server"
> >
> > and, as an aside
> > <quote>
> > It's a poor distinction in any case since so many people are
> > already confused about SOA records in general (or know
> > nothing about them) and because they then extrapolate this
> > confusion to claim that Secondaries are (incorrectly) not
> > authoritative.
> > </quote>
> > Then they need to translate the S of SOA meaningfully,
> > and to understand that they are thinking of NS records.
> > --
> > Roger
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:eSO$mPW9EHA.3640@tk2msftngp13.phx.gbl...
> > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> > > news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
> > > > "Herb Martin" <news@LearnQuick.com> wrote in message
> > > > > RE: "If it is SOA it is primary" -- What do you mean specifically
> > > > > by this phrase?
> > > > >
> > > >
> > > > If the zone holds an SOA record for the DNS server, then it is
> > > > primary on that DNS server. If not, it is not, and so is secondary.
> > >
> > > No, that is just wrong -- all secondaries hold a copy of
> > > the SOA. This is part of the mistaken terminology (and
> > > just an odd way of saying it) that I try to correct.
> > >
> > > You know this if you think about your own secondaries
> > > a momemt since all of them have that SOA record --
> > > which like all other records on the secondary is not
> > > editable.
> > >
> > > In BIND, or any traditional DNS you also know that the
> > > the "zone transfer" is a file transfer of the entire zone file,
> > > including the SOA records which functions as the HEADER
> > > record of the zone.
> > >
> > > I see the problem below so keep reading please...
> > >
> > > > Now, it turns out that the RFC allows for only one SOA and so
> > > > with AD integrated DNS zone one will see that the SOA resource
> > > > record is different on each DC where it is hosted as an AD
> > > > integrated primary zone. But, if a zone is in the DNS on a DC
> > > > or otherwise, and that server is not named in SOA resource record
> > > > in the zone data, then it is not primary (i.e. is secondary).
> > >
> > > Ok, you are confusing "named in [the] SOA" [as primary]
> > > with "holds" the SOA record itself.
> > >
> > > It's a poor distinction in any case since so many people are
> > > already confused about SOA records in general (or know
> > > nothing about them) and because they then extrapolate this
> > > confusion to claim that Secondaries are (incorrectly) not
> > > authoritative.
> > >
> > > Traditionally the SOA record could only list one
> > > "Primary server" because there was only one copy
> > > of the replicated SOA record -- the same on all
> > > authoritative servers.
> > >
> > > Today, each DC may have an editable copy/version
> > > and the option arose to suppress the replication of that
> > > specific field even though other elements must be
> > > replicated (responsible person, serial number, etc.)
> > > to maintain the zone integrity.
> > >
> > > There is a much simpler way, and that is if it the SOA
> > > "editable" on that server it is one of the "set of Primary
> > > servers".
> > >
> > >
> > > --
> > > Herb Martin
> > >
> > >
> >
> >
>
>
Anonymous
a b 8 Security
January 8, 2005 10:51:48 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <eXUZ0aF9EHA.936@TK2MSFTNGP12.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Thu, 6 Jan 2005 18:20:50 writes

>> - not to mention the confusion to the poor punter like me, who
>> expects that if I then remove a user from being a member of Users then
>> he stops being a member of Users.
>>
>Once more, if you do not let INTERACTIVE and/or Authenticated Users be
>a member of Users, then removing an account from the Users group does
>in fact stop that account from being a member of Users. If INTERACTIVE
>is a member of Users, then as soon as an account has logged in locally
>INTERACTIVE is replaced by that account, making the account a member of
>Users. Similarly with Authenticated Users, except that as soon as an
>account has authenticated it becomes a member of Authenticated Users,
>and hence of Users. You can remove these from Users if you do not want
>this behavior.

I think I will take you up on that suggestion the next time I want to
secure a PC in similar circumstances. I see from an other of your
replies that its removal can have repercussions on Guests but that is of
no concern.

It is simple when you know how!

(I still think it is wrong for MS to set , by default, BOTH a user
explicitly into Users and INTERACTIVE/Authenticated also into Users - do
one or the other but not both. Having said it many times in this thread
and been outvoted, I will now stop <bg>)

PS - just been reading an other of your replies, so maybe not completely
outvoted. You wrote:-

>I have for years been very vocal with MS that having these two in the
>default membership of Users is wrong, that it obviates just what Users
>should be about, and that it make extra work for corps where specific
>accounts and only those accounts are supposed to be allowed to log in
>at specific machines.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 8, 2005 10:52:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <OuFVOhF9EHA.2316@TK2MSFTNGP15.phx.gbl>, Roger Abell
<mvpNOSpam@asu.edu> Thu, 6 Jan 2005 18:32:18 writes

>> NT AUTHORITY\Authenticated Users (S-1-5-11)
>> NT AUTHORITY\INTERACTIVE (S-1-5-4)
>>
>> (not sure of the bits in brackets)
>>
>
>They are called the SIDs.

[Snip details]

Thanks. I have seen SIDs mentioned but need to read more :) 
>>
>> I see I have stepped into a minefield - and the quicker I depart the
>> healthier it would be :) 
>>
>
>Not necessarily.

[....]

Thanks for your support.
>>
>> I have kept this and several other posts for further reading. Should
>> keep me out of mischief for a while.
> . . . and if they do not, just remember the link www.reskits.com

Duly noted. Thanks again.
--
Les Desser
(The Reply-to address IS valid)
Anonymous
a b 8 Security
January 9, 2005 1:46:47 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:#bstCBc9EHA.1300@TK2MSFTNGP14.phx.gbl...
> It just seems to me now that you are confusing the
> SOA with the SOA RR

Of course I am talking abou the SOA record.

What distinction are you making?


> All copies of the zone hold the SOA RR
> Only on a primary does the SOA RR name that
> DNS server as SOA
!