Is every user a member of Users?

Archived from groups: microsoft.public.win2000.security (More info?)

After trying to secure a stand alone PC I have come to the conclusion
that a user that is not a member of group Users, is nevertheless
implicitly part of that group.

Am I correct?
--
Les Desser
(The Reply-to address IS valid)
52 answers Last reply
More about user member users
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    The membership in the Users group is only exactly what
    is shown when you view it.
    Now, in a default scenario you will see that Interactive
    and Authenticated Users are nested within Users.
    Due to these any account that logs in locally or any account
    that is authenticated (respectively) will become a Users
    member during that login/usage.
    These groups do not have to be nested within Users, but
    when removed one does need to understand what they have
    been enabling so that the parts of that which are needed can
    be provided.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:cDBxg5Aahd2BFANf@dessergroup.onetel.co.uk...
    > After trying to secure a stand alone PC I have come to the conclusion
    > that a user that is not a member of group Users, is nevertheless
    > implicitly part of that group.
    >
    > Am I correct?
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes. Anyone who logs on locally for instance is a member of the
    authenticated users group which is a member of the users group. Use the "
    net localgroup users " to see that and use the gpresult support tool to see
    all the groups that a user is a member of. Always be extremely carefully
    when configuring deny user rights when adding the users or everyone groups.
    Exactly what are you trying to secure? --- Steve


    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:cDBxg5Aahd2BFANf@dessergroup.onetel.co.uk...
    > After trying to secure a stand alone PC I have come to the conclusion that
    > a user that is not a member of group Users, is nevertheless implicitly
    > part of that group.
    >
    > Am I correct?
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <x5mCd.20234$wu4.14984@attbi_s52>, Steven L Umbach
    <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 01:14:05 writes

    >Yes. Anyone who logs on locally for instance is a member of the
    >authenticated users group which is a member of the users group. Use the
    >" net localgroup users " to see that and use the gpresult support tool
    >to see all the groups that a user is a member of.

    At least that makes a bit more sense - see below

    > Always be extremely carefully when configuring deny user rights when
    >adding the users or everyone groups. Exactly what are you trying to
    >secure?

    I was trying to secure a stand alone W2K Pro PC so that a guest could
    browse the web and play some mp3 files but nothing else.

    I created a Visitors group and a Visitor user to be its member (rather
    then using Gusts/Guest) and Visitor was not a member of Users and
    nevertheless Visitor could go anywhere until I removed all permissions
    for Users.

    I cannot understand having such a security model where Users/User exist
    and are granted permissions by default, but if membership of Users is
    removed from a user it is STILL a member of Users.

    If Users is something special then it should not be possible to assign a
    user explicitly to the Users group - something that is done all over the
    place by default.

    You live and learn - thanks for the quick response. I see bringing
    knowledge of a security model from elsewhere to Windows may be
    dangerous.

    I will pass your response on grc.techtalk where I have come from to get
    this sorted.

    Thanks again.
    --
    Les Desser
    (The Reply-to address IS valid)
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    The fact that a user can not be removed from the user group is probably to
    prevent denial of service attacks against the operating system similar in a
    way that the built in administrator account can not be removed from the
    local administrators group.

    If you wish to restrict a user add that user to a group and then use
    ntfs/registry permissions, user rights, and Group Policy to restrict the
    user. It is more difficult to use Group Policy to lockdown a user/group on a
    stand alone computer though as by default Group Policy applies to all local
    users though there are hacks that can change the to exempt local users from
    Group Policy. For instance you may be able to use Local Group Policy -
    gpedit.msc and restrict the user via user configuration/administrative
    tools/system where you can configure the setting for allowed Windows
    applications. If left blank the user will only be able to logon to the
    operating system and nothing else until you populate the allowed application
    list which may be harder than expected as some applications depend on other
    executables to run though filemon from SysInternals would be very helpful in
    sorting that out. The guest account in Windows 2000 also will not save the
    guest user profile when the guest logs off. --- Steve

    http://www.jsiinc.com/sube/tip2400/rh2492.htm -- filtering local Group
    Policy.

    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:yhvaIKBgTf2BFArC@dessergroup.onetel.co.uk...
    > In article <x5mCd.20234$wu4.14984@attbi_s52>, Steven L Umbach
    > <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 01:14:05 writes
    >
    >>Yes. Anyone who logs on locally for instance is a member of the
    >>authenticated users group which is a member of the users group. Use the "
    >>net localgroup users " to see that and use the gpresult support tool to
    >>see all the groups that a user is a member of.
    >
    > At least that makes a bit more sense - see below
    >
    >> Always be extremely carefully when configuring deny user rights when
    >> adding the users or everyone groups. Exactly what are you trying to
    >> secure?
    >
    > I was trying to secure a stand alone W2K Pro PC so that a guest could
    > browse the web and play some mp3 files but nothing else.
    >
    > I created a Visitors group and a Visitor user to be its member (rather
    > then using Gusts/Guest) and Visitor was not a member of Users and
    > nevertheless Visitor could go anywhere until I removed all permissions for
    > Users.
    >
    > I cannot understand having such a security model where Users/User exist
    > and are granted permissions by default, but if membership of Users is
    > removed from a user it is STILL a member of Users.
    >
    > If Users is something special then it should not be possible to assign a
    > user explicitly to the Users group - something that is done all over the
    > place by default.
    >
    > You live and learn - thanks for the quick response. I see bringing
    > knowledge of a security model from elsewhere to Windows may be dangerous.
    >
    > I will pass your response on grc.techtalk where I have come from to get
    > this sorted.
    >
    > Thanks again.
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:e7oCd.275281$5K2.222729@attbi_s03...
    > The fact that a user can not be removed from the user group is probably to
    > prevent denial of service attacks against the operating system similar in
    a
    > way that the built in administrator account can not be removed from the
    > local administrators group.

    Actually not all user are members of the Users group
    and this is NOT a "special group" so any user not
    a member of the group is not added dynamically.

    Such groups include Everyone, Authenticated Users,
    Interactive etc.

    As Roger says, what you see is what you get EXCEPT
    if one of these automatic (or a Global) group is a member
    in which case you get all the (current) members of the
    included group(s).

    User's are added to Users automatically on creation
    BY DEFAULT but it can be avoided with certain tools.

    For instance the IIS anonymous group is added to Guests
    instead.

    You cannot remove someone from Users unless you first
    get their "default group"(which is mostly for Macintosh
    support) change to another group so this also means that
    users must be a member of at least one group.
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:uTnGE8h8EHA.3012@TK2MSFTNGP09.phx.gbl...
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:e7oCd.275281$5K2.222729@attbi_s03...
    > > The fact that a user can not be removed from the user group is probably
    to
    > > prevent denial of service attacks against the operating system similar
    in
    > a
    > > way that the built in administrator account can not be removed from the
    > > local administrators group.
    >
    > Actually not all user are members of the Users group
    > and this is NOT a "special group" so any user not
    > a member of the group is not added dynamically.
    >
    > Such groups include Everyone, Authenticated Users,
    > Interactive etc.
    >
    > As Roger says, what you see is what you get EXCEPT
    > if one of these automatic (or a Global) group is a member
    > in which case you get all the (current) members of the
    > included group(s).
    >
    > User's are added to Users automatically on creation
    > BY DEFAULT but it can be avoided with certain tools.
    >
    > For instance the IIS anonymous group is added to Guests
    > instead.
    >
    > You cannot remove someone from Users unless you first
    > get their "default group"(which is mostly for Macintosh
    > support) change to another group so this also means that
    > users must be a member of at least one group.
    >


    . . . for which purpose I sometimes define a Dummy group
    that is not used anywhere, except to have accounts' Primary
    Group set to Dummy so that they may be removed from their
    default (at creation) Primay Group.

    Generally I have found that if an account is to be used for
    local logon (whether with keyboard or just by logon type)
    then that account needs to be in Users (hence INTERACTIVE
    being in Users is useful). However, the same does not hold
    if the account is only going to make use of network logins.

    --
    Roger Abell
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
    <mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes

    >The membership in the Users group is only exactly what is shown when
    >you view it. Now, in a default scenario you will see that Interactive
    >and Authenticated Users are nested within Users.

    Please do you have any pointers as to where I can see this on the system
    or at least read about it.

    > Due to these any account that logs in locally or any account that is
    >authenticated (respectively) will become a Users member during that
    >login/usage. These groups do not have to be nested within Users, but
    >when removed one does need to understand what they have been enabling
    >so that the parts of that which are needed can be provided.

    More reading - groan! :)

    I am just a starter on the Windows security front, but as I see it:-

    Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
    it should not be possible to assign anyone to this group. What strange
    mind thought up a structure that allows me to remove membership of a
    user from a specific group, but the user still remains (in 99.99% of the
    time) a member via a hidden route.

    Also, why does Windows put every newly created user explicitly into the
    Users group? - and thereby totally confuse poor punters like me.
    --
    Les Desser
    (The Reply-to address IS valid)
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    If you look at a Group with the Users and Groups tools
    (Computer Manager) or AD Users/Computer or any
    of the common line tools then "what you see if what
    you get" as long as you FOLLOW any references to
    other groups.

    E.g., if GroupA includes GroupB, then the members
    of GroupB are effectively members of GroupA.

    --
    Herb Martin


    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:T30y9wGOMo2BFA+A@dessergroup.onetel.co.uk...
    > In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
    > <mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes
    >
    > >The membership in the Users group is only exactly what is shown when
    > >you view it. Now, in a default scenario you will see that Interactive
    > >and Authenticated Users are nested within Users.
    >
    > Please do you have any pointers as to where I can see this on the system
    > or at least read about it.
    >
    > > Due to these any account that logs in locally or any account that is
    > >authenticated (respectively) will become a Users member during that
    > >login/usage. These groups do not have to be nested within Users, but
    > >when removed one does need to understand what they have been enabling
    > >so that the parts of that which are needed can be provided.
    >
    > More reading - groan! :)
    >
    > I am just a starter on the Windows security front, but as I see it:-
    >
    > Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
    > it should not be possible to assign anyone to this group. What strange
    > mind thought up a structure that allows me to remove membership of a
    > user from a specific group, but the user still remains (in 99.99% of the
    > time) a member via a hidden route.
    >
    > Also, why does Windows put every newly created user explicitly into the
    > Users group? - and thereby totally confuse poor punters like me.
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
    <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes

    >If you wish to restrict a user add that user to a group and then use
    >ntfs/registry permissions, user rights, and Group Policy
    ...[Snipped for later reading]

    I have taken a different route - maybe causing some damage on the way.
    (This is a holiday flat PC so I am not too concerned - more interested
    in learning about security issues)

    I have removed Users from all security permissions for all
    drives/folders and have created my own group to allow a fine level of
    control.

    Securing Program Files and WINNT[1] took a bit of fiddling to allow
    users to run applications.

    My Visitor can now play mp3 files in a subfolder of drive to which they
    are otherwise barred, and they are barred to all other drives but can
    still browse the web and open applications. Other users seem to have
    normal access.

    [1] WINNT had separate security for each sub-folder - no inheritance. I
    have changed that to inherit the settings from WINNT - we will see what
    happens in the longer term.
    --
    Les Desser
    (The Reply-to address IS valid)
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
    > In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
    > <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
    >
    > >If you wish to restrict a user add that user to a group and then use
    > >ntfs/registry permissions, user rights, and Group Policy
    > ..[Snipped for later reading]
    >
    > I have taken a different route - maybe causing some damage on the way.
    > (This is a holiday flat PC so I am not too concerned - more interested
    > in learning about security issues)

    > I have removed Users from all security permissions for all
    > drives/folders and have created my own group to allow a fine level of
    > control.
    >

    That's [the principle of giving correct permissions
    rather than just defaults] is a really good practice but
    few do it, and it can be frustrated by tools like Frontpage
    will takes (has traditionally taken?) a very simplistic
    attitude to setting the permissions on a web server.

    Another good move is to substitute such groups for
    most references to Everyone , or at least get
    Authenticated Users substituted for it.

    > Securing Program Files and WINNT[1] took a bit of fiddling to allow
    > users to run applications.


    > My Visitor can now play mp3 files in a subfolder of drive to which they
    > are otherwise barred, and they are barred to all other drives but can
    > still browse the web and open applications. Other users seem to have
    > normal access.
    >
    > [1] WINNT had separate security for each sub-folder - no inheritance. I
    > have changed that to inherit the settings from WINNT - we will see what
    > happens in the longer term.


    --
    Herb Martin


    > --
    > Les Desser
    > (The Reply-to address IS valid)
  11. Archived from groups: microsoft.public.win2000.security (More info?)

    That can also work well using a different approach to the same strategy,
    particularly on non system folders. I don't like fiddling with permissions
    in the \winnt folder without a lot of testing and generally do not recommend
    it. However I have not had problems with adding "authenticated users" to
    system folder and then removing users and everyone [which NSA security guide
    also recommends]. The IIS lockdown tool is interesting in that it will
    create a new group and give that group deny permissions to many binaries in
    the system folder and other folders on the computer. You can then add a user
    to that folder to make sure they do not have access to those binaries [ping,
    arp, attrib, etc]. The biggest problems usually arise with deny permissions
    in that unintended users, such as administrators, also end up being
    affected. Many also seem to forget that not having permissions is an
    implicit deny. It is a good idea to take an image of a computer before doing
    major changes to permissions. It takes me about 5 minutes to restore a 5 gig
    partition from a Ghost image so that I can start over. If you want a good
    book on configuring Windows security the Microsoft Windows Security Resource
    Kit is a good read and you can buy one from one of the used book vendors on
    Amazon for less than ten dollars. I buy a lot of books that way. Many are
    books with a bent corner or such that can not be sold as new. For a non
    Microsoft perspective the Hacking Exposed Windows 2003 is worth a read. ---
    Steve


    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
    > In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
    > <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
    >
    >>If you wish to restrict a user add that user to a group and then use
    >>ntfs/registry permissions, user rights, and Group Policy
    > ..[Snipped for later reading]
    >
    > I have taken a different route - maybe causing some damage on the way.
    > (This is a holiday flat PC so I am not too concerned - more interested in
    > learning about security issues)
    >
    > I have removed Users from all security permissions for all drives/folders
    > and have created my own group to allow a fine level of control.
    >
    > Securing Program Files and WINNT[1] took a bit of fiddling to allow users
    > to run applications.
    >
    > My Visitor can now play mp3 files in a subfolder of drive to which they
    > are otherwise barred, and they are barred to all other drives but can
    > still browse the web and open applications. Other users seem to have
    > normal access.
    >
    > [1] WINNT had separate security for each sub-folder - no inheritance. I
    > have changed that to inherit the settings from WINNT - we will see what
    > happens in the longer term.
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  12. Archived from groups: microsoft.public.win2000.security (More info?)

    Along this line is a relatively advance technique where
    a group is created (e.g., DenyModify) and everyone who
    normally has Change permissions is added, e.g., for the
    System32 folder this might be applied to ever EXE, DLL,
    SYS, Drv, etc (exectuable) and contain the administrators
    & even System so that on a "normal day" even admins
    cannot update these files.

    During upgrades -- one removes the admins or system
    and then restores the group afterwards (the permissions
    technically stay in effect the whole time on the files but
    by logging on and off the admins effective permissions
    change.)

    Now, it might be the case that some virus, trojan, or
    cracker might be able to work through this roadblock,
    the practical effect is that practically none of them
    will (be able to) do so.

    --
    Herb Martin


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:t3BCd.617183$wV.434580@attbi_s54...
    > That can also work well using a different approach to the same strategy,
    > particularly on non system folders. I don't like fiddling with permissions
    > in the \winnt folder without a lot of testing and generally do not
    recommend
    > it. However I have not had problems with adding "authenticated users" to
    > system folder and then removing users and everyone [which NSA security
    guide
    > also recommends]. The IIS lockdown tool is interesting in that it will
    > create a new group and give that group deny permissions to many binaries
    in
    > the system folder and other folders on the computer. You can then add a
    user
    > to that folder to make sure they do not have access to those binaries
    [ping,
    > arp, attrib, etc]. The biggest problems usually arise with deny
    permissions
    > in that unintended users, such as administrators, also end up being
    > affected. Many also seem to forget that not having permissions is an
    > implicit deny. It is a good idea to take an image of a computer before
    doing
    > major changes to permissions. It takes me about 5 minutes to restore a 5
    gig
    > partition from a Ghost image so that I can start over. If you want a good
    > book on configuring Windows security the Microsoft Windows Security
    Resource
    > Kit is a good read and you can buy one from one of the used book vendors
    on
    > Amazon for less than ten dollars. I buy a lot of books that way. Many are
    > books with a bent corner or such that can not be sold as new. For a non
    > Microsoft perspective the Hacking Exposed Windows 2003 is worth a
    read. ---
    > Steve
    >
    >
    > "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    > news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
    > > In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
    > > <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
    > >
    > >>If you wish to restrict a user add that user to a group and then use
    > >>ntfs/registry permissions, user rights, and Group Policy
    > > ..[Snipped for later reading]
    > >
    > > I have taken a different route - maybe causing some damage on the way.
    > > (This is a holiday flat PC so I am not too concerned - more interested
    in
    > > learning about security issues)
    > >
    > > I have removed Users from all security permissions for all
    drives/folders
    > > and have created my own group to allow a fine level of control.
    > >
    > > Securing Program Files and WINNT[1] took a bit of fiddling to allow
    users
    > > to run applications.
    > >
    > > My Visitor can now play mp3 files in a subfolder of drive to which they
    > > are otherwise barred, and they are barred to all other drives but can
    > > still browse the web and open applications. Other users seem to have
    > > normal access.
    > >
    > > [1] WINNT had separate security for each sub-folder - no inheritance. I
    > > have changed that to inherit the settings from WINNT - we will see what
    > > happens in the longer term.
    > > --
    > > Les Desser
    > > (The Reply-to address IS valid)
    >
    >
  13. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
    <news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes

    >E.g., if GroupA includes GroupB, then the members of GroupB are
    >effectively members of GroupA.

    I vote that groups should not be able to include other groups :)

    I did write that rather tongue-in-cheek and from a standpoint of someone
    who is a starter in the area of Windows security, but on further
    reflection it has merit. There is a lot to be said for transparency and
    once you embed groups within groups one starts to lose the picture
    rather fast.
    --
    Les Desser
    (The Reply-to address IS valid)
  14. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk>, Les Desser
    <NewsDump1@dessergroup.com> Tue, 4 Jan 2005 12:01:22 writes

    >I have taken a different route - maybe causing some damage on the way.
    >(This is a holiday flat PC so I am not too concerned - more interested
    >in learning about security issues)

    Seems like I have done something :(

    As well as the Visitor user, I have created a standard user who is not a
    member of Administrators.

    When using that profile (as well as Visitors) I can no longer open .jpg
    files. MS Photo Editor opens but then gives the error
    "No file format information can be found in the Registry".

    If I add that user to Administrators then it works - so it must be some
    authority problem.

    Thanks in anticipation.
    --
    Les Desser
    (The Reply-to address IS valid)
  15. Archived from groups: microsoft.public.win2000.security (More info?)

    I can see the point of view, but in larger environments
    seeing that a groupX is composed of groupA, groupB,
    and groupC, whereas groupY is composed of groupA
    and groupD only is highly useful, where groupA, B, C,
    D, etc. are fundemental categories of accounts, such as
    by roles that they hold in the corp (or family).
    The alternative, just seeing a long list of users in
    groupX and groupY is error prone.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:xve6beFmVw2BFAas@dessergroup.onetel.co.uk...
    > In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
    > <news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes
    >
    > >E.g., if GroupA includes GroupB, then the members of GroupB are
    > >effectively members of GroupA.
    >
    > I vote that groups should not be able to include other groups :)
    >
    > I did write that rather tongue-in-cheek and from a standpoint of someone
    > who is a starter in the area of Windows security, but on further
    > reflection it has merit. There is a lot to be said for transparency and
    > once you embed groups within groups one starts to lose the picture
    > rather fast.
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  16. Archived from groups: microsoft.public.win2000.security (More info?)

    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:xve6beFmVw2BFAas@dessergroup.onetel.co.uk...
    > In article <uDy$s7l8EHA.1228@tk2msftngp13.phx.gbl>, Herb Martin
    > <news@LearnQuick.com> Tue, 4 Jan 2005 07:02:08 writes
    >
    > >E.g., if GroupA includes GroupB, then the members of GroupB are
    > >effectively members of GroupA.
    >
    > I vote that groups should not be able to include other groups :)

    Then you will hate NATIVE mode where they can be
    arbitrarily nested, e.g., Global in Global ... in Universal
    in Universal ... in Local ....

    > I did write that rather tongue-in-cheek and from a standpoint of someone
    > who is a starter in the area of Windows security, but on further
    > reflection it has merit.

    It is a practical necessity for large domains, but make
    managing even a few hundred users much easier if
    you design the structure well.

    > There is a lot to be said for transparency and
    > once you embed groups within groups one starts to lose the picture
    > rather fast.

    This probably stems from not setting up the groups
    to follow a well-thought out picture -- design -- to
    start.

    Local groups REALLY represent "a collection of
    resources/permissions and/or set of rights for doing
    some job" while Global groups really should be
    the ones that represent "a bunch of users who should
    be given some privelege the same way."

    None fo the books tell you that -- most authors
    (and therefore admins) continue to think of Local
    groups are primarily representing USERS instead
    of a set of resources.
  17. Archived from groups: microsoft.public.win2000.security (More info?)

    lusrmgr.msc run at a cmd prompt (as you refer to
    c:\winnt should I assume this is Windows 2000?)
    lets you see the group structure in all existing detail.

    Originally Users only held accounts. Later MS invented
    Interactive and Authenticated Users and nested these
    within. This was as much as anything a response to the
    fact that the OS had grown in ways such that if an account
    was not a member of Users then things would fail in an
    interactive login. It is not just the NTFS permissions in
    the system folders, but also a matter of permissions on the
    COM components and registry keys, where some grants are
    to the Users group.

    I think historically the intent was to have Guests, Users,
    and Administrators with these three being allowed a tiered
    increase in capability. However, thing were IMO not kept
    fully clean, and for all practical purposes the distinction
    between Guest and any Users member began lost and also
    impossible for interactive login. In large part this was a
    response to MS observing the common (and reasonable)
    practice of removing the default grants to Everyone (which
    used to allow Guest to function interactively).

    By the way, although it looks like a group in the icon used,
    System is best thought of not as a group but as an account.
    I think it is treaded as a group because in a stand-alone install
    the Local System account (which is used to fire up most of the
    core components/services of the OS) is System, but once the
    machine is joined to a domain then the domain\Machine$
    account also is System.

    Aside from accounts and normal groups, you will find some
    "group-like" predefined principals used (Interactive, Network,
    Authenticated Users, Creator Owner, etc.) whose membership
    you cannot adjust. These are like place-holders which get
    substitiuted with the "then current" account if the criteria of
    the place being held are satisfied. If I have logged in as UserX
    at the keyboard, then UserX actually appears in the security
    access checks where Interactive is seen when viewing the
    definitions, etc..

    --
    Roger
    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:T30y9wGOMo2BFA+A@dessergroup.onetel.co.uk...
    > In article <e8tCduf8EHA.3820@TK2MSFTNGP11.phx.gbl>, Roger Abell
    > <mvpNOSpam@asu.edu> Mon, 3 Jan 2005 18:23:36 writes
    >
    > >The membership in the Users group is only exactly what is shown when
    > >you view it. Now, in a default scenario you will see that Interactive
    > >and Authenticated Users are nested within Users.
    >
    > Please do you have any pointers as to where I can see this on the system
    > or at least read about it.
    >
    > > Due to these any account that logs in locally or any account that is
    > >authenticated (respectively) will become a Users member during that
    > >login/usage. These groups do not have to be nested within Users, but
    > >when removed one does need to understand what they have been enabling
    > >so that the parts of that which are needed can be provided.
    >
    > More reading - groan! :)
    >
    > I am just a starter on the Windows security front, but as I see it:-
    >
    > Users is a sytem group (like SYSTEM) (I wonder if I can delete it) and
    > it should not be possible to assign anyone to this group. What strange
    > mind thought up a structure that allows me to remove membership of a
    > user from a specific group, but the user still remains (in 99.99% of the
    > time) a member via a hidden route.
    >
    > Also, why does Windows put every newly created user explicitly into the
    > Users group? - and thereby totally confuse poor punters like me.
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  18. Archived from groups: microsoft.public.win2000.security (More info?)

    > Securing Program Files and WINNT[1] took a bit of fiddling to allow
    > users to run applications.

    Les, you will have also noticed that many of the individual files
    have their NTFS permissions explicitly set also.

    Let us know what OS version you are using, as things have changed
    some between them, and we can refer you to the master file that is
    used to set the install default permissions on these folders and files.
    The template is actually just a plain text file, and one can do a global
    replace on it to change the two characters representing "Users" with
    the SID of the custom group - meaning one can come up with a template
    that set security so that Users is not used but the custom group has the
    settings instead. One can edit the template and then remove the
    custom group from the items desired.

    I do not really advocate doing this as a standard practice, and there
    are so very many (and ill-documented) dependencies; but, the template
    does provide for quick reproducability and so facilitate experimentation
    especially if combined with something like VMware or VirtualPC where
    you just make a copy of the base OS filetree, boot it, fool around, and
    delete the copy when done if things are not liked or disasterous.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:c3DxNlHSWo2BFA+X@dessergroup.onetel.co.uk...
    > In article <e7oCd.275281$5K2.222729@attbi_s03>, Steven L Umbach
    > <n9rou@n0-spam-for-me-comcast.net> Tue, 4 Jan 2005 03:32:31 writes
    >
    > >If you wish to restrict a user add that user to a group and then use
    > >ntfs/registry permissions, user rights, and Group Policy
    > ..[Snipped for later reading]
    >
    > I have taken a different route - maybe causing some damage on the way.
    > (This is a holiday flat PC so I am not too concerned - more interested
    > in learning about security issues)
    >
    > I have removed Users from all security permissions for all
    > drives/folders and have created my own group to allow a fine level of
    > control.
    >
    > Securing Program Files and WINNT[1] took a bit of fiddling to allow
    > users to run applications.
    >
    > My Visitor can now play mp3 files in a subfolder of drive to which they
    > are otherwise barred, and they are barred to all other drives but can
    > still browse the web and open applications. Other users seem to have
    > normal access.
    >
    > [1] WINNT had separate security for each sub-folder - no inheritance. I
    > have changed that to inherit the settings from WINNT - we will see what
    > happens in the longer term.
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  19. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <#OdJRdu8EHA.3416@TK2MSFTNGP09.phx.gbl>, Roger Abell
    <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:30:53 writes

    >Les, you will have also noticed that many of the individual files have
    >their NTFS permissions explicitly set also.
    >
    >Let us know what OS version you are using

    W2K SP4

    >, as things have changed some between them, and we can refer you to the
    >master file that is used to set the install default permissions on
    >these folders and files.

    Thanks
    --
    Les Desser
    (The Reply-to address IS valid)
  20. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <#OdJRdu8EHA.3416@TK2MSFTNGP09.phx.gbl>, Roger Abell
    <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:30:53 writes

    >Les, you will have also noticed that many of the individual files have
    >their NTFS permissions explicitly set also.
    >
    >Let us know what OS version you are using

    W2K SP4

    >, as things have changed some between them, and we can refer you to the
    >master file that is used to set the install default permissions on
    >these folders and files.

    Thanks
    --
    Les Desser
    (The Reply-to address IS valid)
  21. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <umJHL7t8EHA.2196@TK2MSFTNGP11.phx.gbl>, Herb Martin
    <news@LearnQuick.com> Tue, 4 Jan 2005 22:20:33 writes

    >None fo the books tell you that -- most authors (and therefore admins)
    >continue to think of Local groups are primarily representing USERS
    >instead of a set of resources.

    You have expressed my own thoughts in a few words - I just could not get
    at the right ones.

    Groups Users and Family (my invention - in case it actually exists) are
    chalk and cheese.

    Users is an attribute of a logged-on profile and not what I would call a
    group. It should not be possible to put an actual user into group
    Users. That is a bit like grouping the residents of the UK and putting
    the Prime Minister in group Human :)

    I rest my case.
    --
    Les Desser
    (The Reply-to address IS valid)
  22. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
    <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes

    >I can see the point of view, but in larger environments seeing that a
    >groupX is composed of groupA, groupB, and groupC, whereas groupY is
    >composed of groupA and groupD only is highly useful, where groupA, B,
    >C, D, etc. are fundemental categories of accounts, such as by roles
    >that they hold in the corp (or family). The alternative, just seeing a
    >long list of users in groupX and groupY is error prone.

    I agree - I withdraw my original statement.

    I just wish that that the definition of a group would not be muddied by
    having special collections such as Users called the same as a group
    created by human intelligence - see my reply to Herb a few minutes ago.
    --
    Les Desser
    (The Reply-to address IS valid)
  23. Archived from groups: microsoft.public.win2000.security (More info?)

    > I just wish that that the definition of a group would not be muddied by
    > having special collections such as Users called the same as a group
    > created by human intelligence - see my reply to Herb a few minutes ago.

    I would really need to disagree with this (false)
    distinction -- Users is indeed in every sense a
    Group.

    It just happens to be a Built-In Group with built-in
    behavior which can be critical to getting a system
    to work by default.

    Even Everyone is a group in the true sense although
    this class has it's own name as well: Special Groups.

    (Of course it isn't a very GOOD name <grin> and
    should have been called Automatic or perhaps best
    would have been Dynamic Groups since the OS
    automatically assigns users to the special groups
    automatically and dynamically when they meet
    certain conditions.)

    --
    Herb Martin


    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
    > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
    > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
    >
    > >I can see the point of view, but in larger environments seeing that a
    > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
    > >composed of groupA and groupD only is highly useful, where groupA, B,
    > >C, D, etc. are fundemental categories of accounts, such as by roles
    > >that they hold in the corp (or family). The alternative, just seeing a
    > >long list of users in groupX and groupY is error prone.
    >
    > I agree - I withdraw my original statement.
    >
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  24. Archived from groups: microsoft.public.win2000.security (More info?)

    As Herb indicated Users is a group.
    Nothing magic about it. The membership of Users is
    clearly viewable, and Users contains nothing other than
    what is there, clearly viewable.

    Today, the use made of Users would fit IMO fairly
    closely to "the group that allows its members to log
    into the machine at the keyboard and use it"
    In other words, the Users group is pretty much the
    grouping of accounts that can use the machine.

    There are groups, just plain old normal groups,
    like Users. These come in two forms. The predefined
    groups and what I term custom groups which have been
    defined by the user/owner of the machine.

    There are a couple kinds of things that are used as if
    they were groups and/or that function like groups, but
    over the membership in which one has no control.
    These are things like Everyone, Authenticated Users,
    Interactive, Network, Anonymous Users, Creator Owner,
    Creator Group, Self, . .. These all have set, defined
    meanings and uses, which I believe you could discover
    by reading into the Resource Kits.
    www.reskits.com

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
    > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
    > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
    >
    > >I can see the point of view, but in larger environments seeing that a
    > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
    > >composed of groupA and groupD only is highly useful, where groupA, B,
    > >C, D, etc. are fundemental categories of accounts, such as by roles
    > >that they hold in the corp (or family). The alternative, just seeing a
    > >long list of users in groupX and groupY is error prone.
    >
    > I agree - I withdraw my original statement.
    >
    > I just wish that that the definition of a group would not be muddied by
    > having special collections such as Users called the same as a group
    > created by human intelligence - see my reply to Herb a few minutes ago.
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  25. Archived from groups: microsoft.public.win2000.security (More info?)

    For W2k the initial, install defaults for the security ACLs on reg vals,
    folders, files, services, etc. are contained in the file setup security.inf
    to be found in your c:\WINNT\security\templates folder.
    If you look in this text file with notepad you will see many
    lines in the [File Security] section that look like
    8="c:\winnt", 2,
    "D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)
    (A;CIOI;GA;;;CO)(A;;GRGX;;;WD)"
    The third and last of these is a string representation of an ACL
    in a syntax called SDDL (security descriptor definition language,
    about which you could search in msdn.microsoft.com for info)

    The way to view what the settings actual mean is to
    start / run mmc
    and then under the file drop menu select to add/remove snapin
    and then add to locate the Security Templates snapin.
    Then, with an mmc console where you can look at templates
    (these .inf files) you can open the template and see the settings
    there translated into groups and the associated grants and also
    inheritance. You would be snart to make a copy and do this on
    the copy - as that would give you room to play.

    In the SDDL above for the initial W2k permissions on winnt
    dir, the initial D: means this part is the dacl (access rather than
    audit ACL), the first () in it is (A;CIOI;GRGX;;;BU) which is
    the spec for one ACE in the ACL, which A: Allows to Users
    (the BU for built-in Users) generic read and generic execute
    (the GRGX). The CIOI are specifying the inheritance attributes
    of this ACE. The other principals in the remaining ACEs of
    this ACL spec are PU=Power Users, BA=built-in Administrators,
    SY=System, CO=Creator Owner, and WD=Everyone (aka world).

    With the Security Templates snap-in it is not possible to change
    the state of the running system. To do that one uses the Security
    Configuration and Analysis snap-in, into which one Imports the
    template (use caution, always Analyze first and consider before
    doing an Apply).

    If you wanted to alter all of these so that instead of granting to
    Users the same would instead be granted to CustomGroup,
    what one could do is
    1. obtain the SID of CustomGroup
    2. make a copy of this inf file, and trim out all sections except
    those that you want to impact, for example trim out all except
    for [File Security] (note: leave the intial header part, that is,
    the [Unicode] and [Version] parts, and do not overlook removing
    the seciton [Service General Setting] following files section)
    3. do a global replace of BU with the SID of CustomGroup
    When this altered template is applied, everyplace that there is a
    grant to Users in the filesystem due to the original template's use
    during intall will instead have the same grant made to CustomGroup
    instead (the grant to Users will be gone). To reverse this, one
    would import and apply the original template's [File Security] section.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:3J7bCLP32E3BFAxZ@dessergroup.onetel.co.uk...
    > In article <#OdJRdu8EHA.3416@TK2MSFTNGP09.phx.gbl>, Roger Abell
    > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:30:53 writes
    >
    > >Les, you will have also noticed that many of the individual files have
    > >their NTFS permissions explicitly set also.
    > >
    > >Let us know what OS version you are using
    >
    > W2K SP4
    >
    > >, as things have changed some between them, and we can refer you to the
    > >master file that is used to set the install default permissions on
    > >these folders and files.
    >
    > Thanks
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  26. Archived from groups: microsoft.public.win2000.security (More info?)

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
    > As Herb indicated Users is a group.
    > Nothing magic about it. The membership of Users is
    > clearly viewable, and Users contains nothing other than
    > what is there, clearly viewable.

    Correct (and below too).

    Strictly FYI: The names for the various group types are:

    1) Built-in (Administrators, Users, Domain Admins...)
    changeable but created and used by the system automatically

    2) Groups (aka custom or user-defined Groups)

    3) Special (dynamically assigned membership based on
    current activity at the time the object resource is
    OPENED -- e.g., Everyone, Network, Terminal Service
    Users, Dialup Users (sp?) etc.

    Groups MAY be divided into 2 or more categories:

    a) Local (workstations or domain based)
    b) Global (domain based only)
    c) Universal (Win2000 Native mode or 2003 Server mode)


    On workstations, all Built-in and user-defined Groups are
    Local Groups only -- while on the domain groups can be either
    Local, Global, or perhaps Universal groups.

    No one knows whether Specical Groups are Global or
    Local -- the really are neither, but have some of the
    characteristics of each.

    Technially, there is another Group type, a variation on
    Local groups when the behavior changes after upgrading
    the domain to Native+ mode: Domain Locals, which are
    techically different than "plain Local groups on a domain"
    in NT or Mixed etc mode.


    --
    Herb Martin


    >
    > Today, the use made of Users would fit IMO fairly
    > closely to "the group that allows its members to log
    > into the machine at the keyboard and use it"
    > In other words, the Users group is pretty much the
    > grouping of accounts that can use the machine.
    >
    > There are groups, just plain old normal groups,
    > like Users. These come in two forms. The predefined
    > groups and what I term custom groups which have been
    > defined by the user/owner of the machine.
    >
    > There are a couple kinds of things that are used as if
    > they were groups and/or that function like groups, but
    > over the membership in which one has no control.
    > These are things like Everyone, Authenticated Users,
    > Interactive, Network, Anonymous Users, Creator Owner,
    > Creator Group, Self, . .. These all have set, defined
    > meanings and uses, which I believe you could discover
    > by reading into the Resource Kits.
    > www.reskits.com
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    > news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
    > > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
    > > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
    > >
    > > >I can see the point of view, but in larger environments seeing that a
    > > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
    > > >composed of groupA and groupD only is highly useful, where groupA, B,
    > > >C, D, etc. are fundemental categories of accounts, such as by roles
    > > >that they hold in the corp (or family). The alternative, just seeing a
    > > >long list of users in groupX and groupY is error prone.
    > >
    > > I agree - I withdraw my original statement.
    > >
    > > I just wish that that the definition of a group would not be muddied by
    > > having special collections such as Users called the same as a group
    > > created by human intelligence - see my reply to Herb a few minutes ago.
    > > --
    > > Les Desser
    > > (The Reply-to address IS valid)
    >
    >
  27. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks Herb for the terminology breakdown.

    It is with regret that I need mention for the OP that one will
    find that the terms used by MS have "drifted" some over time.
    For example, if one reads at
    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_atxz.asp
    one will find a slight variation on these, and that all of the
    "pre-defined"s get lumped together as the category
    Built-in Security Principals, and reading on one finds at
    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_wdkv.asp
    some meanings for the common ones of these, where the OP
    should notice that some are "group-like" and some are
    "user-like". The first are dynamically managed collections
    of accounts, while the second are placeholders used in ACLs
    that get replace dynamically at runtime with the account in use
    that meets their definition.

    Perhaps we should note for the OP that "principal" is the
    generic term used to indicate anything that can be a trustee,
    that is, the object indicated as receiving or being denied a
    security access grant (and similar with auditing).

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%23j9oj%2398EHA.2180@TK2MSFTNGP12.phx.gbl...
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
    > > As Herb indicated Users is a group.
    > > Nothing magic about it. The membership of Users is
    > > clearly viewable, and Users contains nothing other than
    > > what is there, clearly viewable.
    >
    > Correct (and below too).
    >
    > Strictly FYI: The names for the various group types are:
    >
    > 1) Built-in (Administrators, Users, Domain Admins...)
    > changeable but created and used by the system automatically
    >
    > 2) Groups (aka custom or user-defined Groups)
    >
    > 3) Special (dynamically assigned membership based on
    > current activity at the time the object resource is
    > OPENED -- e.g., Everyone, Network, Terminal Service
    > Users, Dialup Users (sp?) etc.
    >
    > Groups MAY be divided into 2 or more categories:
    >
    > a) Local (workstations or domain based)
    > b) Global (domain based only)
    > c) Universal (Win2000 Native mode or 2003 Server mode)
    >
    >
    > On workstations, all Built-in and user-defined Groups are
    > Local Groups only -- while on the domain groups can be either
    > Local, Global, or perhaps Universal groups.
    >
    > No one knows whether Specical Groups are Global or
    > Local -- the really are neither, but have some of the
    > characteristics of each.
    >
    > Technially, there is another Group type, a variation on
    > Local groups when the behavior changes after upgrading
    > the domain to Native+ mode: Domain Locals, which are
    > techically different than "plain Local groups on a domain"
    > in NT or Mixed etc mode.
    >
    >
    > --
    > Herb Martin
    >
    >
    > >
    > > Today, the use made of Users would fit IMO fairly
    > > closely to "the group that allows its members to log
    > > into the machine at the keyboard and use it"
    > > In other words, the Users group is pretty much the
    > > grouping of accounts that can use the machine.
    > >
    > > There are groups, just plain old normal groups,
    > > like Users. These come in two forms. The predefined
    > > groups and what I term custom groups which have been
    > > defined by the user/owner of the machine.
    > >
    > > There are a couple kinds of things that are used as if
    > > they were groups and/or that function like groups, but
    > > over the membership in which one has no control.
    > > These are things like Everyone, Authenticated Users,
    > > Interactive, Network, Anonymous Users, Creator Owner,
    > > Creator Group, Self, . .. These all have set, defined
    > > meanings and uses, which I believe you could discover
    > > by reading into the Resource Kits.
    > > www.reskits.com
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    > > news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
    > > > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
    > > > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
    > > >
    > > > >I can see the point of view, but in larger environments seeing that a
    > > > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
    > > > >composed of groupA and groupD only is highly useful, where groupA, B,
    > > > >C, D, etc. are fundemental categories of accounts, such as by roles
    > > > >that they hold in the corp (or family). The alternative, just seeing
    a
    > > > >long list of users in groupX and groupY is error prone.
    > > >
    > > > I agree - I withdraw my original statement.
    > > >
    > > > I just wish that that the definition of a group would not be muddied
    by
    > > > having special collections such as Users called the same as a group
    > > > created by human intelligence - see my reply to Herb a few minutes
    ago.
    > > > --
    > > > Les Desser
    > > > (The Reply-to address IS valid)
    > >
    > >
    >
    >
  28. Archived from groups: microsoft.public.win2000.security (More info?)

    > Perhaps we should note for the OP that "principal" is the
    > generic term used to indicate anything that can be a trustee,
    > that is, the object indicated as receiving or being denied a
    > security access grant (and similar with auditing).

    Drift is bad <grin>

    In fact, I strongly prefer the term "security principal"
    as a generic term for Groups, Users, and Computer
    accounts -- all of these can be granted or denid
    permission and rights related to object access and to
    system functions.

    <irony>

    Then there is the question of "Creator/Owner" which
    Microsoft calls a special group (at times) and which
    I have always considered a Special User.

    But on logically grounds it does qualify as Special
    Group of at most one user. Ok, there is the case
    where it manages to represent the Administrators
    group collectively and thereby destroys all our
    preceptions about Group containment rules.

    (BTW, I think the developers cheated by writing
    some exceptions in the code for this stuff.)

    </irony>

    --
    Herb Martin


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:eAVrV3$8EHA.2900@TK2MSFTNGP09.phx.gbl...
    > Thanks Herb for the terminology breakdown.
    >
    > It is with regret that I need mention for the OP that one will
    > find that the terms used by MS have "drifted" some over time.
    > For example, if one reads at
    >
    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_atxz.asp
    > one will find a slight variation on these, and that all of the
    > "pre-defined"s get lumped together as the category
    > Built-in Security Principals, and reading on one finds at
    >
    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_wdkv.asp
    > some meanings for the common ones of these, where the OP
    > should notice that some are "group-like" and some are
    > "user-like". The first are dynamically managed collections
    > of accounts, while the second are placeholders used in ACLs
    > that get replace dynamically at runtime with the account in use
    > that meets their definition.
    >
    > Perhaps we should note for the OP that "principal" is the
    > generic term used to indicate anything that can be a trustee,
    > that is, the object indicated as receiving or being denied a
    > security access grant (and similar with auditing).
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:%23j9oj%2398EHA.2180@TK2MSFTNGP12.phx.gbl...
    > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
    > > > As Herb indicated Users is a group.
    > > > Nothing magic about it. The membership of Users is
    > > > clearly viewable, and Users contains nothing other than
    > > > what is there, clearly viewable.
    > >
    > > Correct (and below too).
    > >
    > > Strictly FYI: The names for the various group types are:
    > >
    > > 1) Built-in (Administrators, Users, Domain Admins...)
    > > changeable but created and used by the system automatically
    > >
    > > 2) Groups (aka custom or user-defined Groups)
    > >
    > > 3) Special (dynamically assigned membership based on
    > > current activity at the time the object resource is
    > > OPENED -- e.g., Everyone, Network, Terminal Service
    > > Users, Dialup Users (sp?) etc.
    > >
    > > Groups MAY be divided into 2 or more categories:
    > >
    > > a) Local (workstations or domain based)
    > > b) Global (domain based only)
    > > c) Universal (Win2000 Native mode or 2003 Server mode)
    > >
    > >
    > > On workstations, all Built-in and user-defined Groups are
    > > Local Groups only -- while on the domain groups can be either
    > > Local, Global, or perhaps Universal groups.
    > >
    > > No one knows whether Specical Groups are Global or
    > > Local -- the really are neither, but have some of the
    > > characteristics of each.
    > >
    > > Technially, there is another Group type, a variation on
    > > Local groups when the behavior changes after upgrading
    > > the domain to Native+ mode: Domain Locals, which are
    > > techically different than "plain Local groups on a domain"
    > > in NT or Mixed etc mode.
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > > >
    > > > Today, the use made of Users would fit IMO fairly
    > > > closely to "the group that allows its members to log
    > > > into the machine at the keyboard and use it"
    > > > In other words, the Users group is pretty much the
    > > > grouping of accounts that can use the machine.
    > > >
    > > > There are groups, just plain old normal groups,
    > > > like Users. These come in two forms. The predefined
    > > > groups and what I term custom groups which have been
    > > > defined by the user/owner of the machine.
    > > >
    > > > There are a couple kinds of things that are used as if
    > > > they were groups and/or that function like groups, but
    > > > over the membership in which one has no control.
    > > > These are things like Everyone, Authenticated Users,
    > > > Interactive, Network, Anonymous Users, Creator Owner,
    > > > Creator Group, Self, . .. These all have set, defined
    > > > meanings and uses, which I believe you could discover
    > > > by reading into the Resource Kits.
    > > > www.reskits.com
    > > >
    > > > --
    > > > Roger Abell
    > > > Microsoft MVP (Windows Security)
    > > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > > "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    > > > news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
    > > > > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
    > > > > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
    > > > >
    > > > > >I can see the point of view, but in larger environments seeing that
    a
    > > > > >groupX is composed of groupA, groupB, and groupC, whereas groupY is
    > > > > >composed of groupA and groupD only is highly useful, where groupA,
    B,
    > > > > >C, D, etc. are fundemental categories of accounts, such as by roles
    > > > > >that they hold in the corp (or family). The alternative, just
    seeing
    > a
    > > > > >long list of users in groupX and groupY is error prone.
    > > > >
    > > > > I agree - I withdraw my original statement.
    > > > >
    > > > > I just wish that that the definition of a group would not be muddied
    > by
    > > > > having special collections such as Users called the same as a group
    > > > > created by human intelligence - see my reply to Herb a few minutes
    > ago.
    > > > > --
    > > > > Les Desser
    > > > > (The Reply-to address IS valid)
    > > >
    > > >
    > >
    > >
    >
    >
  29. Archived from groups: microsoft.public.win2000.security (More info?)

    > (BTW, I think the developers cheated by writing
    > some exceptions in the code for this stuff.)

    <vbg> yea, rather certain they did.

    For example, one sometimes sees in the docs the statement
    that SYSTEM is a member of Administrators group, but that
    this is just not shown in the user interface. (OK, so how does
    a machine local group get nested into a machine local group?)

    The Creator Owner "group" got only more clouded when
    they introduced Creator Group "group".

    I take a more simple approach. I think of things as Groups
    if I can manage their membership, even though MS (at times)
    would like some of these referenced as Built-in Groups.
    To me, if I have defined it then it is a custom group and I just
    say "custom group" if I want to emphasize this. Otherwise a
    group is a group is good enough for me.

    Then, I think of the rest (where I cannot manage the membership)
    as either Special Groups (your dynamic groups which I find to be
    an appealing terminology), or as placeholder principals. Then to
    round things out, there are the Well Known SIDs.

    Issues like the doc speaking of the SYSTEM account but the GUI
    displaying the SYSTEM "account" often using the icon for a Group
    does not help matters.

    Maybe some day things will have completed evolution so that a
    terminology that is both simple and sufficient can be established.

    --
    Roger

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:%23RSaVyA9EHA.936@TK2MSFTNGP12.phx.gbl...
    >> Perhaps we should note for the OP that "principal" is the
    >> generic term used to indicate anything that can be a trustee,
    >> that is, the object indicated as receiving or being denied a
    >> security access grant (and similar with auditing).
    >
    > Drift is bad <grin>
    >
    > In fact, I strongly prefer the term "security principal"
    > as a generic term for Groups, Users, and Computer
    > accounts -- all of these can be granted or denid
    > permission and rights related to object access and to
    > system functions.
    >
    > <irony>
    >
    > Then there is the question of "Creator/Owner" which
    > Microsoft calls a special group (at times) and which
    > I have always considered a Special User.
    >
    > But on logically grounds it does qualify as Special
    > Group of at most one user. Ok, there is the case
    > where it manages to represent the Administrators
    > group collectively and thereby destroys all our
    > preceptions about Group containment rules.
    >
    > (BTW, I think the developers cheated by writing
    > some exceptions in the code for this stuff.)
    >
    > </irony>
    >
    > --
    > Herb Martin
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:eAVrV3$8EHA.2900@TK2MSFTNGP09.phx.gbl...
    >> Thanks Herb for the terminology breakdown.
    >>
    >> It is with regret that I need mention for the OP that one will
    >> find that the terms used by MS have "drifted" some over time.
    >> For example, if one reads at
    >>
    > http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_atxz.asp
    >> one will find a slight variation on these, and that all of the
    >> "pre-defined"s get lumped together as the category
    >> Built-in Security Principals, and reading on one finds at
    >>
    > http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_wdkv.asp
    >> some meanings for the common ones of these, where the OP
    >> should notice that some are "group-like" and some are
    >> "user-like". The first are dynamically managed collections
    >> of accounts, while the second are placeholders used in ACLs
    >> that get replace dynamically at runtime with the account in use
    >> that meets their definition.
    >>
    >> Perhaps we should note for the OP that "principal" is the
    >> generic term used to indicate anything that can be a trustee,
    >> that is, the object indicated as receiving or being denied a
    >> security access grant (and similar with auditing).
    >>
    >> --
    >> Roger Abell
    >> Microsoft MVP (Windows Security)
    >> MCSE (W2k3,W2k,Nt4) MCDBA
    >> "Herb Martin" <news@LearnQuick.com> wrote in message
    >> news:%23j9oj%2398EHA.2180@TK2MSFTNGP12.phx.gbl...
    >> > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >> > news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
    >> > > As Herb indicated Users is a group.
    >> > > Nothing magic about it. The membership of Users is
    >> > > clearly viewable, and Users contains nothing other than
    >> > > what is there, clearly viewable.
    >> >
    >> > Correct (and below too).
    >> >
    >> > Strictly FYI: The names for the various group types are:
    >> >
    >> > 1) Built-in (Administrators, Users, Domain Admins...)
    >> > changeable but created and used by the system automatically
    >> >
    >> > 2) Groups (aka custom or user-defined Groups)
    >> >
    >> > 3) Special (dynamically assigned membership based on
    >> > current activity at the time the object resource is
    >> > OPENED -- e.g., Everyone, Network, Terminal Service
    >> > Users, Dialup Users (sp?) etc.
    >> >
    >> > Groups MAY be divided into 2 or more categories:
    >> >
    >> > a) Local (workstations or domain based)
    >> > b) Global (domain based only)
    >> > c) Universal (Win2000 Native mode or 2003 Server mode)
    >> >
    >> >
    >> > On workstations, all Built-in and user-defined Groups are
    >> > Local Groups only -- while on the domain groups can be either
    >> > Local, Global, or perhaps Universal groups.
    >> >
    >> > No one knows whether Specical Groups are Global or
    >> > Local -- the really are neither, but have some of the
    >> > characteristics of each.
    >> >
    >> > Technially, there is another Group type, a variation on
    >> > Local groups when the behavior changes after upgrading
    >> > the domain to Native+ mode: Domain Locals, which are
    >> > techically different than "plain Local groups on a domain"
    >> > in NT or Mixed etc mode.
    >> >
    >> >
    >> > --
    >> > Herb Martin
    >> >
    >> >
    >> > >
    >> > > Today, the use made of Users would fit IMO fairly
    >> > > closely to "the group that allows its members to log
    >> > > into the machine at the keyboard and use it"
    >> > > In other words, the Users group is pretty much the
    >> > > grouping of accounts that can use the machine.
    >> > >
    >> > > There are groups, just plain old normal groups,
    >> > > like Users. These come in two forms. The predefined
    >> > > groups and what I term custom groups which have been
    >> > > defined by the user/owner of the machine.
    >> > >
    >> > > There are a couple kinds of things that are used as if
    >> > > they were groups and/or that function like groups, but
    >> > > over the membership in which one has no control.
    >> > > These are things like Everyone, Authenticated Users,
    >> > > Interactive, Network, Anonymous Users, Creator Owner,
    >> > > Creator Group, Self, . .. These all have set, defined
    >> > > meanings and uses, which I believe you could discover
    >> > > by reading into the Resource Kits.
    >> > > www.reskits.com
    >> > >
    >> > > --
    >> > > Roger Abell
    >> > > Microsoft MVP (Windows Security)
    >> > > MCSE (W2k3,W2k,Nt4) MCDBA
    >> > > "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    >> > > news:25pbuzP85E3BFASV@dessergroup.onetel.co.uk...
    >> > > > In article <e9AWUQu8EHA.2900@TK2MSFTNGP09.phx.gbl>, Roger Abell
    >> > > > <mvpNOSpam@asu.edu> Tue, 4 Jan 2005 22:07:43 writes
    >> > > >
    >> > > > >I can see the point of view, but in larger environments seeing
    >> > > > >that
    > a
    >> > > > >groupX is composed of groupA, groupB, and groupC, whereas groupY
    >> > > > >is
    >> > > > >composed of groupA and groupD only is highly useful, where groupA,
    > B,
    >> > > > >C, D, etc. are fundemental categories of accounts, such as by
    >> > > > >roles
    >> > > > >that they hold in the corp (or family). The alternative, just
    > seeing
    >> a
    >> > > > >long list of users in groupX and groupY is error prone.
    >> > > >
    >> > > > I agree - I withdraw my original statement.
    >> > > >
    >> > > > I just wish that that the definition of a group would not be
    >> > > > muddied
    >> by
    >> > > > having special collections such as Users called the same as a group
    >> > > > created by human intelligence - see my reply to Herb a few minutes
    >> ago.
    >> > > > --
    >> > > > Les Desser
    >> > > > (The Reply-to address IS valid)
    >> > >
    >> > >
    >> >
    >> >
    >>
    >>
    >
    >
  30. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <uOA16728EHA.3988@TK2MSFTNGP10.phx.gbl>, Herb Martin
    <news@LearnQuick.com> Wed, 5 Jan 2005 15:29:59 writes

    >> I just wish that that the definition of a group would not be muddied by
    >> having special collections such as Users called the same as a group
    >> created by human intelligence - see my reply to Herb a few minutes ago.
    >
    >I would really need to disagree with this (false) distinction -- Users
    >is indeed in every sense a Group.
    >
    >It just happens to be a Built-In Group with built-in behavior which can
    >be critical to getting a system to work by default.
    >
    >Even Everyone is a group in the true sense although this class has it's
    >own name as well: Special Groups.

    OK - point taken, but can you justify setting a user explicitly as a
    member of Users (and this the default) when they are anyway a member of
    Users - not to mention the confusion to the poor punter like me, who
    expects that if I then remove a user from being a member of Users then
    he stops being a member of Users.

    (Maybe I just need to go to someone to knock the sense out of me :(
    After working 20+ years with the AS/400 [1] I find I must learn to stop
    thinking logically)
    >
    >(Of course it isn't a very GOOD name <grin> and should have been called
    >Automatic or perhaps best would have been Dynamic Groups since the OS
    >automatically assigns users to the special groups automatically and
    >dynamically when they meet certain conditions.)

    [1] For those not that old, the AS/400 (and its parent the S/38) were
    first designed by a group of academics, the operating system was then
    written, and the hardware (microcode) built to satisfy the needs of the
    OS. Ahhh - those were the days :)
    --
    Les Desser
    (The Reply-to address IS valid)
  31. Archived from groups: microsoft.public.win2000.security (More info?)

    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:ymmqZ4IAPa3BFAzf@dessergroup.onetel.co.uk...
    > In article <uOA16728EHA.3988@TK2MSFTNGP10.phx.gbl>, Herb Martin
    > <news@LearnQuick.com> Wed, 5 Jan 2005 15:29:59 writes
    >
    > >> I just wish that that the definition of a group would not be muddied by
    > >> having special collections such as Users called the same as a group
    > >> created by human intelligence - see my reply to Herb a few minutes ago.
    > >
    > >I would really need to disagree with this (false) distinction -- Users
    > >is indeed in every sense a Group.
    > >
    > >It just happens to be a Built-In Group with built-in behavior which can
    > >be critical to getting a system to work by default.
    > >
    > >Even Everyone is a group in the true sense although this class has it's
    > >own name as well: Special Groups.
    >
    > OK - point taken, but can you justify setting a user explicitly as a
    > member of Users (and this the default) when they are anyway a member of
    > Users
    An account is automatically added to users as a part of the
    process of defining the new account.
    Hence, you do not need to add it to Users unless you have
    removed it and want to readd it.

    > - not to mention the confusion to the poor punter like me, who
    > expects that if I then remove a user from being a member of Users then
    > he stops being a member of Users.
    >
    Once more, if you do not let INTERACTIVE and/or Authenticated Users
    be a member of Users, then removing an account from the Users group
    does in fact stop that account from being a member of Users.
    If INTERACTIVE is a member of Users, then as soon as an account
    has logged in locally INTERACTIVE is replaced by that account,
    making the account a member of Users. Similarly with Authenticated
    Users, except that as soon as an account has authenticated it becomes
    a member of Authenticated Users, and hence of Users.
    You can remove these from Users if you do not want this behavior.

    > (Maybe I just need to go to someone to knock the sense out of me :(
    > After working 20+ years with the AS/400 [1] I find I must learn to stop
    > thinking logically)
    It is actually very logical as it is. Having run VM/CMS for many years
    in the distant past I would venture to say that it is equally logical as
    A, B, . . . G is (was) there and that the Windows way is more well
    ordered and mathematical.

    > >
    > >(Of course it isn't a very GOOD name <grin> and should have been called
    > >Automatic or perhaps best would have been Dynamic Groups since the OS
    > >automatically assigns users to the special groups automatically and
    > >dynamically when they meet certain conditions.)
    >
    > [1] For those not that old, the AS/400 (and its parent the S/38) were
    > first designed by a group of academics, the operating system was then
    > written, and the hardware (microcode) built to satisfy the needs of the
    > OS. Ahhh - those were the days :)
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  32. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <eUD7OQ88EHA.2572@tk2msftngp13.phx.gbl>, Roger Abell
    <mvpNOSpam@asu.edu> Thu, 6 Jan 2005 00:51:04 writes

    >For W2k the initial, install defaults for the security ACLs on reg
    >vals, folders, files, services, etc. are contained in the file setup
    >security.inf to be found in your c:\WINNT\security\templates folder.

    [Snip wealth of info]

    I have got as far as installing the snap-in and viewing the template -
    (interesting how a messy text file can look so nice when present via
    GUI)

    I have saved your post and will work at it later - many thanks.
    --
    Les Desser
    (The Reply-to address IS valid)
  33. Archived from groups: microsoft.public.win2000.security (More info?)

    Good luck Les - there is a lot of technology there.
    If you seach on Security Configuration Toolset, and
    similar on the MS site you will likely find some step by
    steps on using the snap-ins.

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:omCsZRJQPa3BFAxJ@dessergroup.onetel.co.uk...
    > In article <eUD7OQ88EHA.2572@tk2msftngp13.phx.gbl>, Roger Abell
    > <mvpNOSpam@asu.edu> Thu, 6 Jan 2005 00:51:04 writes
    >
    >>For W2k the initial, install defaults for the security ACLs on reg vals,
    >>folders, files, services, etc. are contained in the file setup
    >>security.inf to be found in your c:\WINNT\security\templates folder.
    >
    > [Snip wealth of info]
    >
    > I have got as far as installing the snap-in and viewing the template -
    > (interesting how a messy text file can look so nice when present via GUI)
    >
    > I have saved your post and will work at it later - many thanks.
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  34. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <#j9oj#98EHA.2180@TK2MSFTNGP12.phx.gbl>, Herb Martin
    <news@LearnQuick.com> Thu, 6 Jan 2005 05:00:38 writes

    >"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    >news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
    >> As Herb indicated Users is a group.
    >> Nothing magic about it. The membership of Users is
    >> clearly viewable, and Users contains nothing other than
    >> what is there, clearly viewable.

    Yes but not so clear...

    I see a list of users (which no longer exist on my system) followed by

    NT AUTHORITY\Authenticated Users (S-1-5-11)
    NT AUTHORITY\INTERACTIVE (S-1-5-4)

    (not sure of the bits in brackets)

    I accept that for the initiated, they know that when I remove Les from
    group Users, Les is STILL a members of Users because he is an
    Authenticated User ... Had Les never been or allowed to be an explicit
    member of Users then I think I would have cottoned on to what was going
    on.

    After further messing about I can give a little ground :) I see that
    the two entries above can be merrily deleted from Users - and I think an
    early responder to my initial post mentioned that the default structure
    could be changed.

    So I can see that if that were the case then adding individual users
    into Users would have meaning.

    I see I have stepped into a minefield - and the quicker I depart the
    healthier it would be :)

    But seriously, I have learnt a lot (obviously only a little of what
    there is to know) and would thank all for the detailed posts - several
    of which followed this one.
    >
    [Snip details]

    I have kept this and several other posts for further reading. Should
    keep me out of mischief for a while.
    --
    Les Desser
    (The Reply-to address IS valid)
  35. Archived from groups: microsoft.public.win2000.security (More info?)

    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:xmRqpBLcya3BFASf@dessergroup.onetel.co.uk...
    > In article <#j9oj#98EHA.2180@TK2MSFTNGP12.phx.gbl>, Herb Martin
    > <news@LearnQuick.com> Thu, 6 Jan 2005 05:00:38 writes
    >
    > >"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > >news:uEfaut78EHA.3708@TK2MSFTNGP14.phx.gbl...
    > >> As Herb indicated Users is a group.
    > >> Nothing magic about it. The membership of Users is
    > >> clearly viewable, and Users contains nothing other than
    > >> what is there, clearly viewable.
    >
    > Yes but not so clear...
    >
    > I see a list of users (which no longer exist on my system) followed by
    >
    > NT AUTHORITY\Authenticated Users (S-1-5-11)
    > NT AUTHORITY\INTERACTIVE (S-1-5-4)
    >
    > (not sure of the bits in brackets)
    >

    They are called the SIDs. These are the true, unique interal identifier
    of the principal. In the case of these two, these are "well known sids"
    which means that they are the same on any instance of Windows.
    Most SIDs have a part in them that makes them uniquely tied to only
    one instance of installed Windows.

    > I accept that for the initiated, they know that when I remove Les from
    > group Users, Les is STILL a members of Users because he is an
    > Authenticated User ... Had Les never been or allowed to be an explicit
    > member of Users then I think I would have cottoned on to what was going
    > on.
    >
    > After further messing about I can give a little ground :) I see that
    > the two entries above can be merrily deleted from Users - and I think an
    > early responder to my initial post mentioned that the default structure
    > could be changed.

    That would be me . . .
    I also cautioned that one may need to make sure that the parts, if any,
    of what these were doing and which one desired to retain would need
    to be otherwise provided for.
    For example, if you remove these from Users, then on XP or W2k3 if
    you were to enable the Guest account and allow it to log in locally you
    would find that the log would be unsuccessful, unless you either added
    one of these back into Users or explicitly added Guest to Users.

    In early NT 4 these were not members of Users - that installation default
    membership of Users started with the release of W2k.
    >
    > So I can see that if that were the case then adding individual users
    > into Users would have meaning.
    >
    > I see I have stepped into a minefield - and the quicker I depart the
    > healthier it would be :)
    >

    Not necessarily. You have likely learned a little of this OS and of
    its history. Further, you have expressed such that I can see that we
    agree on this. I have for years been very vocal with MS that having
    these two in the default membership of Users is wrong, that it obviates
    just what Users should be about, and that it make extra work for corps
    where specific accounts and only those accounts are supposed to be
    allowed to log in at specific machines.

    > But seriously, I have learnt a lot (obviously only a little of what
    > there is to know) and would thank all for the detailed posts - several
    > of which followed this one.

    No problem Les. It has been sort of a fun exchange.

    > >
    > [Snip details]
    >
    > I have kept this and several other posts for further reading. Should
    > keep me out of mischief for a while.
    . . . and if they do not, just remember the link
    www.reskits.com
    --
    ra
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  36. Archived from groups: microsoft.public.win2000.security (More info?)

    > >Even Everyone is a group in the true sense although this class has it's
    > >own name as well: Special Groups.
    >
    > OK - point taken, but can you justify setting a user explicitly as a
    > member of Users (and this the default) when they are anyway a member of
    > Users - not to mention the confusion to the poor punter like me, who
    > expects that if I then remove a user from being a member of Users then
    > he stops being a member of Users.

    But that is precisely what Microsoft has done once you
    realize that all privileges SHOULD be give through a
    group, Users is a group which by default holds all
    ordinary User accounts, and this Users group is used
    to give the standard permissions needed to "Use the
    system(s)".

    Maybe a better, i.e., more specific, name -- and I am
    a big proponent of proper naming -- could have been
    chosen but I cannot think of a better name offhand.

    (Site Link Bridges ARE misnamed, the "Local" Special
    group is slightly misnamed - it should have been Direct
    in contrast to Network or some such.)

    > (Maybe I just need to go to someone to knock the sense out of me :(
    > After working 20+ years with the AS/400 [1] I find I must learn to stop
    > thinking logically)

    This is perfectly logical -- an account does not necessarily
    have to be a "user" -- it might be a service or an anonymous
    type account.

    It is the membership in Users that makes a user-type account
    a "User" or the Computer or Domain computers in general.


    --
    Herb Martin


    "Les Desser" <NewsDump1@dessergroup.com> wrote in message
    news:ymmqZ4IAPa3BFAzf@dessergroup.onetel.co.uk...
    > In article <uOA16728EHA.3988@TK2MSFTNGP10.phx.gbl>, Herb Martin
    > <news@LearnQuick.com> Wed, 5 Jan 2005 15:29:59 writes
    >
    > >> I just wish that that the definition of a group would not be muddied by
    > >> having special collections such as Users called the same as a group
    > >> created by human intelligence - see my reply to Herb a few minutes ago.
    > >
    > >I would really need to disagree with this (false) distinction -- Users
    > >is indeed in every sense a Group.
    > >
    > >It just happens to be a Built-In Group with built-in behavior which can
    > >be critical to getting a system to work by default.
    > >
    > >Even Everyone is a group in the true sense although this class has it's
    > >own name as well: Special Groups.
    >
    > OK - point taken, but can you justify setting a user explicitly as a
    > member of Users (and this the default) when they are anyway a member of
    > Users - not to mention the confusion to the poor punter like me, who
    > expects that if I then remove a user from being a member of Users then
    > he stops being a member of Users.
    >
    > (Maybe I just need to go to someone to knock the sense out of me :(
    > After working 20+ years with the AS/400 [1] I find I must learn to stop
    > thinking logically)
    > >
    > >(Of course it isn't a very GOOD name <grin> and should have been called
    > >Automatic or perhaps best would have been Dynamic Groups since the OS
    > >automatically assigns users to the special groups automatically and
    > >dynamically when they meet certain conditions.)
    >
    > [1] For those not that old, the AS/400 (and its parent the S/38) were
    > first designed by a group of academics, the operating system was then
    > written, and the hardware (microcode) built to satisfy the needs of the
    > OS. Ahhh - those were the days :)
    > --
    > Les Desser
    > (The Reply-to address IS valid)
  37. Archived from groups: microsoft.public.win2000.security (More info?)

    > An account is automatically added to users as a part of the
    > process of defining the new account.
    > Hence, you do not need to add it to Users unless you have
    > removed it and want to readd it.

    Yes, and only (somewhat) knowledgeable people (e.g.,
    experts or at least tyros who think themselves experts
    <grin>) can get a user account out of Users.
  38. Archived from groups: microsoft.public.win2000.security (More info?)

    "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    news:Ojp$sCE9EHA.1392@tk2msftngp13.phx.gbl...

    <snip stuff>

    > I take a more simple approach. I think of things as Groups
    > if I can manage their membership, even though MS (at times)
    > would like some of these referenced as Built-in Groups.

    I do this OR if it can be managed like a group in the sense
    that I can put it into other groups, assign it permissions etc,
    and it represents conceptionally 1 or more unnamed users.

    This is of course Microsoft's long standard practice of
    including Special Groups in the group types discussion.

    > To me, if I have defined it then it is a custom group and I just
    > say "custom group" if I want to emphasize this. Otherwise a
    > group is a group is good enough for me.

    Yes, I seldom need to say "user/admin defined or custom"
    group.

    > Then, I think of the rest (where I cannot manage the membership)
    > as either Special Groups (your dynamic groups which I find to be
    > an appealing terminology), or as placeholder principals. Then to
    > round things out, there are the Well Known SIDs.

    Yes, dynamic groups says it much more clearly -- WHY it is
    special.

    > Issues like the doc speaking of the SYSTEM account but the GUI
    > displaying the SYSTEM "account" often using the icon for a Group
    > does not help matters.

    Never noticed that.

    Of course I may be one of the few people that regularly
    assigne or (more likely) DENIES access to System. <grin>

    > Maybe some day things will have completed evolution so that a
    > terminology that is both simple and sufficient can be established.

    Actually it would hurt. Usually once a bad terminology
    "sticks" it is worse to change it because then you have
    the "bad terminology" and the new "good stuff" and not
    only do you now have to explain the bad but explain how
    it is the same as the good.

    A current peeve of mine is the (correct) renaming of Primary
    vs. Active Directory Integrated zone type, into Primaries
    that are either "standard" or "AD integrated" .

    I WOULD HAVE preferred the latter had it been used at
    first - but now it just adds to the confusion.

    Of course "Site Link Bridge" is so misleading that I TEACH
    everyone to mentally rename it to Site Link Bridge-Group,
    or Bridge-Grouping to help clarify what it does.
  39. Archived from groups: microsoft.public.win2000.security (More info?)

    I am not so sure as to how much trouble in the life of the software
    result from living with bad maning conventions as compared to
    having new/appropriate ones (for a time) co-exist with the ones
    that are being aged out.

    The ambiguity you mention on primary DNS zones, the ones that
    are standard primary and the ones that are AD integrated has always
    existed. I struggled with this very thing when writing Windows
    2000 DNS in late 1999, eventually deciding on the tactic used just
    now. If it is SOA it is primary - whether AD integrated or not, and
    if not then use the "std" adjective to indicate old-school, bind type
    semantics.

    Sometimes I am tempted to distinguish the "special" principals
    based on whether they, like Authenticated Users, cause an addition
    to the user token, or whether they really are only used on the objects
    being secured where they are interpreted with "special handling".
    However, that is just too deep for practical, daily use.

    I believe that we have the term "special" principals and "special"
    groups because the naming originated with the dev from a dev
    mentality - they had to right one-off, special case code to handle.

    Oh, and speaking of pet peeves, my newest, as of today is the
    "Malicious Software" Removal Tool, or was that the Malicious
    "Software Removal" Tool ??

    In future you will likely see me using the term dynamic and/or
    synonomously automatic for the groups of type we have here
    discussed. It is meaningful, and distinguishes well the category
    from what I have terms a (normal, custom or not) group.

    --
    Roger

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:Oo0bnII9EHA.3592@TK2MSFTNGP09.phx.gbl...
    > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    > news:Ojp$sCE9EHA.1392@tk2msftngp13.phx.gbl...
    >
    > <snip stuff>
    >
    > > I take a more simple approach. I think of things as Groups
    > > if I can manage their membership, even though MS (at times)
    > > would like some of these referenced as Built-in Groups.
    >
    > I do this OR if it can be managed like a group in the sense
    > that I can put it into other groups, assign it permissions etc,
    > and it represents conceptionally 1 or more unnamed users.
    >
    > This is of course Microsoft's long standard practice of
    > including Special Groups in the group types discussion.
    >
    > > To me, if I have defined it then it is a custom group and I just
    > > say "custom group" if I want to emphasize this. Otherwise a
    > > group is a group is good enough for me.
    >
    > Yes, I seldom need to say "user/admin defined or custom"
    > group.
    >
    > > Then, I think of the rest (where I cannot manage the membership)
    > > as either Special Groups (your dynamic groups which I find to be
    > > an appealing terminology), or as placeholder principals. Then to
    > > round things out, there are the Well Known SIDs.
    >
    > Yes, dynamic groups says it much more clearly -- WHY it is
    > special.
    >
    > > Issues like the doc speaking of the SYSTEM account but the GUI
    > > displaying the SYSTEM "account" often using the icon for a Group
    > > does not help matters.
    >
    > Never noticed that.
    >
    > Of course I may be one of the few people that regularly
    > assigne or (more likely) DENIES access to System. <grin>
    >
    > > Maybe some day things will have completed evolution so that a
    > > terminology that is both simple and sufficient can be established.
    >
    > Actually it would hurt. Usually once a bad terminology
    > "sticks" it is worse to change it because then you have
    > the "bad terminology" and the new "good stuff" and not
    > only do you now have to explain the bad but explain how
    > it is the same as the good.
    >
    > A current peeve of mine is the (correct) renaming of Primary
    > vs. Active Directory Integrated zone type, into Primaries
    > that are either "standard" or "AD integrated" .
    >
    > I WOULD HAVE preferred the latter had it been used at
    > first - but now it just adds to the confusion.
    >
    > Of course "Site Link Bridge" is so misleading that I TEACH
    > everyone to mentally rename it to Site Link Bridge-Group,
    > or Bridge-Grouping to help clarify what it does.
    >
    >
  40. Archived from groups: microsoft.public.win2000.security (More info?)

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uzB90mJ9EHA.3320@TK2MSFTNGP10.phx.gbl...
    > I am not so sure as to how much trouble in the life of the software
    > result from living with bad maning conventions as compared to
    > having new/appropriate ones (for a time) co-exist with the ones
    > that are being aged out.
    >
    > The ambiguity you mention on primary DNS zones, the ones that
    > are standard primary and the ones that are AD integrated has always
    > existed. I struggled with this very thing when writing Windows
    > 2000 DNS in late 1999, eventually deciding on the tactic used just
    > now. If it is SOA it is primary - whether AD integrated or not, and
    > if not then use the "std" adjective to indicate old-school, bind type
    > semantics.

    RE: "If it is SOA it is primary" -- What do you mean specifically
    by this phrase?

    (I have corrected similar terminology in the past, so I would
    like to know what that means before agreeing or disagreeing.)

    All DNS servers that hold the zone have an SOA record and
    are authoritative for the zone (ok, ignoring Stub zones for now.)

    > Sometimes I am tempted to distinguish the "special" principals
    > based on whether they, like Authenticated Users, cause an addition
    > to the user token, or whether they really are only used on the objects
    > being secured where they are interpreted with "special handling".
    > However, that is just too deep for practical, daily use.

    Yes, it would help no one except system programmers who
    really have no problem with the distinctions to begin with.

    > Oh, and speaking of pet peeves, my newest, as of today is the
    > "Malicious Software" Removal Tool, or was that the Malicious
    > "Software Removal" Tool ??

    You probably would get a kick out of noticing the
    breakdown (pun intended) of the following profession:

    psycho-the-rapist

    > In future you will likely see me using the term dynamic and/or
    > synonomously automatic for the groups of type we have here
    > discussed.

    I don't usually, even though I invented the terms because
    then I must explain the standard Microsoft terminology too.

    Generally when teaching about those I do mention these
    names (dynamic or automatic) would have been better
    choices.

    > It is meaningful, and distinguishes well the category
    > from what I have terms a (normal, custom or not) group.

    Yes, many times just mentioning the better name choices
    is also someone needs to latch onto the correct idea and
    accept the clumsy name as-is.

    For SiteLinkBridge(Groups) and Superscope(Groups)
    I try to get everyone to ALWAYS append the word
    Groups (or Grouping etc) to the name so as to remember
    precisely what they do.


    --
    Herb Martin


    >
    > --
    > Roger
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:Oo0bnII9EHA.3592@TK2MSFTNGP09.phx.gbl...
    > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    > > news:Ojp$sCE9EHA.1392@tk2msftngp13.phx.gbl...
    > >
    > > <snip stuff>
    > >
    > > > I take a more simple approach. I think of things as Groups
    > > > if I can manage their membership, even though MS (at times)
    > > > would like some of these referenced as Built-in Groups.
    > >
    > > I do this OR if it can be managed like a group in the sense
    > > that I can put it into other groups, assign it permissions etc,
    > > and it represents conceptionally 1 or more unnamed users.
    > >
    > > This is of course Microsoft's long standard practice of
    > > including Special Groups in the group types discussion.
    > >
    > > > To me, if I have defined it then it is a custom group and I just
    > > > say "custom group" if I want to emphasize this. Otherwise a
    > > > group is a group is good enough for me.
    > >
    > > Yes, I seldom need to say "user/admin defined or custom"
    > > group.
    > >
    > > > Then, I think of the rest (where I cannot manage the membership)
    > > > as either Special Groups (your dynamic groups which I find to be
    > > > an appealing terminology), or as placeholder principals. Then to
    > > > round things out, there are the Well Known SIDs.
    > >
    > > Yes, dynamic groups says it much more clearly -- WHY it is
    > > special.
    > >
    > > > Issues like the doc speaking of the SYSTEM account but the GUI
    > > > displaying the SYSTEM "account" often using the icon for a Group
    > > > does not help matters.
    > >
    > > Never noticed that.
    > >
    > > Of course I may be one of the few people that regularly
    > > assigne or (more likely) DENIES access to System. <grin>
    > >
    > > > Maybe some day things will have completed evolution so that a
    > > > terminology that is both simple and sufficient can be established.
    > >
    > > Actually it would hurt. Usually once a bad terminology
    > > "sticks" it is worse to change it because then you have
    > > the "bad terminology" and the new "good stuff" and not
    > > only do you now have to explain the bad but explain how
    > > it is the same as the good.
    > >
    > > A current peeve of mine is the (correct) renaming of Primary
    > > vs. Active Directory Integrated zone type, into Primaries
    > > that are either "standard" or "AD integrated" .
    > >
    > > I WOULD HAVE preferred the latter had it been used at
    > > first - but now it just adds to the confusion.
    > >
    > > Of course "Site Link Bridge" is so misleading that I TEACH
    > > everyone to mentally rename it to Site Link Bridge-Group,
    > > or Bridge-Grouping to help clarify what it does.
    > >
    > >
    >
    >
  41. Archived from groups: microsoft.public.win2000.security (More info?)

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:uzVCNgN9EHA.2032@tk2msftngp13.phx.gbl...
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:uzB90mJ9EHA.3320@TK2MSFTNGP10.phx.gbl...
    > > I am not so sure as to how much trouble in the life of the software
    > > result from living with bad maning conventions as compared to
    > > having new/appropriate ones (for a time) co-exist with the ones
    > > that are being aged out.
    > >
    > > The ambiguity you mention on primary DNS zones, the ones that
    > > are standard primary and the ones that are AD integrated has always
    > > existed. I struggled with this very thing when writing Windows
    > > 2000 DNS in late 1999, eventually deciding on the tactic used just
    > > now. If it is SOA it is primary - whether AD integrated or not, and
    > > if not then use the "std" adjective to indicate old-school, bind type
    > > semantics.
    >
    > RE: "If it is SOA it is primary" -- What do you mean specifically
    > by this phrase?
    >

    If the zone holds an SOA record for the DNS server, then it is
    primary on that DNS server. If not, it is not, and so is secondary.
    Now, it turns out that the RFC allows for only one SOA and so
    with AD integrated DNS zone one will see that the SOA resource
    record is different on each DC where it is hosted as an AD
    integrated primary zone. But, if a zone is in the DNS on a DC
    or otherwise, and that server is not named in SOA resource record
    in the zone data, then it is not primary (i.e. is secondary).

    > (I have corrected similar terminology in the past, so I would
    > like to know what that means before agreeing or disagreeing.)
    >
    > All DNS servers that hold the zone have an SOA record and
    > are authoritative for the zone (ok, ignoring Stub zones for now.)
    >

    You may be thinking on NS records here . . .

    > > Sometimes I am tempted to distinguish the "special" principals
    > > based on whether they, like Authenticated Users, cause an addition
    > > to the user token, or whether they really are only used on the objects
    > > being secured where they are interpreted with "special handling".
    > > However, that is just too deep for practical, daily use.
    >
    > Yes, it would help no one except system programmers who
    > really have no problem with the distinctions to begin with.
    >
    > > Oh, and speaking of pet peeves, my newest, as of today is the
    > > "Malicious Software" Removal Tool, or was that the Malicious
    > > "Software Removal" Tool ??
    >
    > You probably would get a kick out of noticing the
    > breakdown (pun intended) of the following profession:
    >
    > psycho-the-rapist
    >

    all these years and I have managed to not see that one . . .


    > > In future you will likely see me using the term dynamic and/or
    > > synonomously automatic for the groups of type we have here
    > > discussed.
    >
    > I don't usually, even though I invented the terms because
    > then I must explain the standard Microsoft terminology too.
    >
    > Generally when teaching about those I do mention these
    > names (dynamic or automatic) would have been better
    > choices.
    >
    > > It is meaningful, and distinguishes well the category
    > > from what I have terms a (normal, custom or not) group.
    >
    > Yes, many times just mentioning the better name choices
    > is also someone needs to latch onto the correct idea and
    > accept the clumsy name as-is.
    >
    > For SiteLinkBridge(Groups) and Superscope(Groups)
    > I try to get everyone to ALWAYS append the word
    > Groups (or Grouping etc) to the name so as to remember
    > precisely what they do.
    >
    >
    > --
    > Herb Martin
    >
    >
    > >
    > > --
    > > Roger
    > >
    > > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > news:Oo0bnII9EHA.3592@TK2MSFTNGP09.phx.gbl...
    > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
    > > > news:Ojp$sCE9EHA.1392@tk2msftngp13.phx.gbl...
    > > >
    > > > <snip stuff>
    > > >
    > > > > I take a more simple approach. I think of things as Groups
    > > > > if I can manage their membership, even though MS (at times)
    > > > > would like some of these referenced as Built-in Groups.
    > > >
    > > > I do this OR if it can be managed like a group in the sense
    > > > that I can put it into other groups, assign it permissions etc,
    > > > and it represents conceptionally 1 or more unnamed users.
    > > >
    > > > This is of course Microsoft's long standard practice of
    > > > including Special Groups in the group types discussion.
    > > >
    > > > > To me, if I have defined it then it is a custom group and I just
    > > > > say "custom group" if I want to emphasize this. Otherwise a
    > > > > group is a group is good enough for me.
    > > >
    > > > Yes, I seldom need to say "user/admin defined or custom"
    > > > group.
    > > >
    > > > > Then, I think of the rest (where I cannot manage the membership)
    > > > > as either Special Groups (your dynamic groups which I find to be
    > > > > an appealing terminology), or as placeholder principals. Then to
    > > > > round things out, there are the Well Known SIDs.
    > > >
    > > > Yes, dynamic groups says it much more clearly -- WHY it is
    > > > special.
    > > >
    > > > > Issues like the doc speaking of the SYSTEM account but the GUI
    > > > > displaying the SYSTEM "account" often using the icon for a Group
    > > > > does not help matters.
    > > >
    > > > Never noticed that.
    > > >
    > > > Of course I may be one of the few people that regularly
    > > > assigne or (more likely) DENIES access to System. <grin>
    > > >
    > > > > Maybe some day things will have completed evolution so that a
    > > > > terminology that is both simple and sufficient can be established.
    > > >
    > > > Actually it would hurt. Usually once a bad terminology
    > > > "sticks" it is worse to change it because then you have
    > > > the "bad terminology" and the new "good stuff" and not
    > > > only do you now have to explain the bad but explain how
    > > > it is the same as the good.
    > > >
    > > > A current peeve of mine is the (correct) renaming of Primary
    > > > vs. Active Directory Integrated zone type, into Primaries
    > > > that are either "standard" or "AD integrated" .
    > > >
    > > > I WOULD HAVE preferred the latter had it been used at
    > > > first - but now it just adds to the confusion.
    > > >
    > > > Of course "Site Link Bridge" is so misleading that I TEACH
    > > > everyone to mentally rename it to Site Link Bridge-Group,
    > > > or Bridge-Grouping to help clarify what it does.
    > > >
    > > >
    > >
    > >
    >
    >
  42. Archived from groups: microsoft.public.win2000.security (More info?)

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > RE: "If it is SOA it is primary" -- What do you mean specifically
    > > by this phrase?
    > >
    >
    > If the zone holds an SOA record for the DNS server, then it is
    > primary on that DNS server. If not, it is not, and so is secondary.

    No, that is just wrong -- all secondaries hold a copy of
    the SOA. This is part of the mistaken terminology (and
    just an odd way of saying it) that I try to correct.

    You know this if you think about your own secondaries
    a momemt since all of them have that SOA record --
    which like all other records on the secondary is not
    editable.

    In BIND, or any traditional DNS you also know that the
    the "zone transfer" is a file transfer of the entire zone file,
    including the SOA records which functions as the HEADER
    record of the zone.

    I see the problem below so keep reading please...

    > Now, it turns out that the RFC allows for only one SOA and so
    > with AD integrated DNS zone one will see that the SOA resource
    > record is different on each DC where it is hosted as an AD
    > integrated primary zone. But, if a zone is in the DNS on a DC
    > or otherwise, and that server is not named in SOA resource record
    > in the zone data, then it is not primary (i.e. is secondary).

    Ok, you are confusing "named in [the] SOA" [as primary]
    with "holds" the SOA record itself.

    It's a poor distinction in any case since so many people are
    already confused about SOA records in general (or know
    nothing about them) and because they then extrapolate this
    confusion to claim that Secondaries are (incorrectly) not
    authoritative.

    Traditionally the SOA record could only list one
    "Primary server" because there was only one copy
    of the replicated SOA record -- the same on all
    authoritative servers.

    Today, each DC may have an editable copy/version
    and the option arose to suppress the replication of that
    specific field even though other elements must be
    replicated (responsible person, serial number, etc.)
    to maintain the zone integrity.

    There is a much simpler way, and that is if it the SOA
    "editable" on that server it is one of the "set of Primary
    servers".


    --
    Herb Martin
  43. Archived from groups: microsoft.public.win2000.security (More info?)

    <quote>
    the zone holds an SOA record for the DNS server
    </quote>
    "for the DNS server"
    <quote>
    Ok, you are confusing "named in [the] SOA" [as primary]
    with "holds" the SOA record itself.
    </quote>
    No, I was NOT confusing them.
    I was explicitly stating the they are the same
    when the zone is primary.
    <quote>
    There is a much simpler way, and that is if it the SOA
    "editable" on that server it is one of the "set of Primary
    servers".
    </quote>
    which is exactly the effect of the server named in the
    SOA being the server the zone copy is hosted on,
    i.e.
    "the zone holds an SOA record for the DNS server"

    and, as an aside
    <quote>
    It's a poor distinction in any case since so many people are
    already confused about SOA records in general (or know
    nothing about them) and because they then extrapolate this
    confusion to claim that Secondaries are (incorrectly) not
    authoritative.
    </quote>
    Then they need to translate the S of SOA meaningfully,
    and to understand that they are thinking of NS records.
    --
    Roger
    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:eSO$mPW9EHA.3640@tk2msftngp13.phx.gbl...
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
    > > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > > RE: "If it is SOA it is primary" -- What do you mean specifically
    > > > by this phrase?
    > > >
    > >
    > > If the zone holds an SOA record for the DNS server, then it is
    > > primary on that DNS server. If not, it is not, and so is secondary.
    >
    > No, that is just wrong -- all secondaries hold a copy of
    > the SOA. This is part of the mistaken terminology (and
    > just an odd way of saying it) that I try to correct.
    >
    > You know this if you think about your own secondaries
    > a momemt since all of them have that SOA record --
    > which like all other records on the secondary is not
    > editable.
    >
    > In BIND, or any traditional DNS you also know that the
    > the "zone transfer" is a file transfer of the entire zone file,
    > including the SOA records which functions as the HEADER
    > record of the zone.
    >
    > I see the problem below so keep reading please...
    >
    > > Now, it turns out that the RFC allows for only one SOA and so
    > > with AD integrated DNS zone one will see that the SOA resource
    > > record is different on each DC where it is hosted as an AD
    > > integrated primary zone. But, if a zone is in the DNS on a DC
    > > or otherwise, and that server is not named in SOA resource record
    > > in the zone data, then it is not primary (i.e. is secondary).
    >
    > Ok, you are confusing "named in [the] SOA" [as primary]
    > with "holds" the SOA record itself.
    >
    > It's a poor distinction in any case since so many people are
    > already confused about SOA records in general (or know
    > nothing about them) and because they then extrapolate this
    > confusion to claim that Secondaries are (incorrectly) not
    > authoritative.
    >
    > Traditionally the SOA record could only list one
    > "Primary server" because there was only one copy
    > of the replicated SOA record -- the same on all
    > authoritative servers.
    >
    > Today, each DC may have an editable copy/version
    > and the option arose to suppress the replication of that
    > specific field even though other elements must be
    > replicated (responsible person, serial number, etc.)
    > to maintain the zone integrity.
    >
    > There is a much simpler way, and that is if it the SOA
    > "editable" on that server it is one of the "set of Primary
    > servers".
    >
    >
    > --
    > Herb Martin
    >
    >
  44. Archived from groups: microsoft.public.win2000.security (More info?)

    Herb,

    As an afterthough, I believe I see the source of our
    linguistic confusion.
    To me the SOA RR names the SOA.
    So, saying that the SOA is the DNS server holding the zone
    or
    > If the zone holds an SOA record for the DNS server, then it is
    > primary on that DNS server. If not, it is not, and so is secondary.
    is absolutely correct and precise, as
    > If the zone holds an SOA record for the DNS server
    says, on the DNS server concerned, if the SOA RR names
    that same DNS server as SOA

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:eSO$mPW9EHA.3640@tk2msftngp13.phx.gbl...
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
    > > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > > RE: "If it is SOA it is primary" -- What do you mean specifically
    > > > by this phrase?
    > > >
    > >
    > > If the zone holds an SOA record for the DNS server, then it is
    > > primary on that DNS server. If not, it is not, and so is secondary.
    >
    > No, that is just wrong -- all secondaries hold a copy of
    > the SOA. This is part of the mistaken terminology (and
    > just an odd way of saying it) that I try to correct.
    >
    > You know this if you think about your own secondaries
    > a momemt since all of them have that SOA record --
    > which like all other records on the secondary is not
    > editable.
    >
    > In BIND, or any traditional DNS you also know that the
    > the "zone transfer" is a file transfer of the entire zone file,
    > including the SOA records which functions as the HEADER
    > record of the zone.
    >
    > I see the problem below so keep reading please...
    >
    > > Now, it turns out that the RFC allows for only one SOA and so
    > > with AD integrated DNS zone one will see that the SOA resource
    > > record is different on each DC where it is hosted as an AD
    > > integrated primary zone. But, if a zone is in the DNS on a DC
    > > or otherwise, and that server is not named in SOA resource record
    > > in the zone data, then it is not primary (i.e. is secondary).
    >
    > Ok, you are confusing "named in [the] SOA" [as primary]
    > with "holds" the SOA record itself.
    >
    > It's a poor distinction in any case since so many people are
    > already confused about SOA records in general (or know
    > nothing about them) and because they then extrapolate this
    > confusion to claim that Secondaries are (incorrectly) not
    > authoritative.
    >
    > Traditionally the SOA record could only list one
    > "Primary server" because there was only one copy
    > of the replicated SOA record -- the same on all
    > authoritative servers.
    >
    > Today, each DC may have an editable copy/version
    > and the option arose to suppress the replication of that
    > specific field even though other elements must be
    > replicated (responsible person, serial number, etc.)
    > to maintain the zone integrity.
    >
    > There is a much simpler way, and that is if it the SOA
    > "editable" on that server it is one of the "set of Primary
    > servers".
    >
    >
    > --
    > Herb Martin
    >
    >
  45. Archived from groups: microsoft.public.win2000.security (More info?)

    > No, I was NOT confusing them.
    > I was explicitly stating the they are the same
    > when the zone is primary.

    Well, there is no way that only the Primary, and
    not secondaries, has an SOA record.

    The SOA is about the zone -- and the Secondaries
    have a copy of this record.

    That is mentions the Primary doesn't mean they
    don't HOLD a copy.

    --
    Herb Martin


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:evo7a5Z9EHA.2316@TK2MSFTNGP15.phx.gbl...
    > <quote>
    > the zone holds an SOA record for the DNS server
    > </quote>
    > "for the DNS server"
    > <quote>
    > Ok, you are confusing "named in [the] SOA" [as primary]
    > with "holds" the SOA record itself.
    > </quote>
    > No, I was NOT confusing them.
    > I was explicitly stating the they are the same
    > when the zone is primary.
    > <quote>
    > There is a much simpler way, and that is if it the SOA
    > "editable" on that server it is one of the "set of Primary
    > servers".
    > </quote>
    > which is exactly the effect of the server named in the
    > SOA being the server the zone copy is hosted on,
    > i.e.
    > "the zone holds an SOA record for the DNS server"
    >
    > and, as an aside
    > <quote>
    > It's a poor distinction in any case since so many people are
    > already confused about SOA records in general (or know
    > nothing about them) and because they then extrapolate this
    > confusion to claim that Secondaries are (incorrectly) not
    > authoritative.
    > </quote>
    > Then they need to translate the S of SOA meaningfully,
    > and to understand that they are thinking of NS records.
    > --
    > Roger
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:eSO$mPW9EHA.3640@tk2msftngp13.phx.gbl...
    > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
    > > > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > > > RE: "If it is SOA it is primary" -- What do you mean specifically
    > > > > by this phrase?
    > > > >
    > > >
    > > > If the zone holds an SOA record for the DNS server, then it is
    > > > primary on that DNS server. If not, it is not, and so is secondary.
    > >
    > > No, that is just wrong -- all secondaries hold a copy of
    > > the SOA. This is part of the mistaken terminology (and
    > > just an odd way of saying it) that I try to correct.
    > >
    > > You know this if you think about your own secondaries
    > > a momemt since all of them have that SOA record --
    > > which like all other records on the secondary is not
    > > editable.
    > >
    > > In BIND, or any traditional DNS you also know that the
    > > the "zone transfer" is a file transfer of the entire zone file,
    > > including the SOA records which functions as the HEADER
    > > record of the zone.
    > >
    > > I see the problem below so keep reading please...
    > >
    > > > Now, it turns out that the RFC allows for only one SOA and so
    > > > with AD integrated DNS zone one will see that the SOA resource
    > > > record is different on each DC where it is hosted as an AD
    > > > integrated primary zone. But, if a zone is in the DNS on a DC
    > > > or otherwise, and that server is not named in SOA resource record
    > > > in the zone data, then it is not primary (i.e. is secondary).
    > >
    > > Ok, you are confusing "named in [the] SOA" [as primary]
    > > with "holds" the SOA record itself.
    > >
    > > It's a poor distinction in any case since so many people are
    > > already confused about SOA records in general (or know
    > > nothing about them) and because they then extrapolate this
    > > confusion to claim that Secondaries are (incorrectly) not
    > > authoritative.
    > >
    > > Traditionally the SOA record could only list one
    > > "Primary server" because there was only one copy
    > > of the replicated SOA record -- the same on all
    > > authoritative servers.
    > >
    > > Today, each DC may have an editable copy/version
    > > and the option arose to suppress the replication of that
    > > specific field even though other elements must be
    > > replicated (responsible person, serial number, etc.)
    > > to maintain the zone integrity.
    > >
    > > There is a much simpler way, and that is if it the SOA
    > > "editable" on that server it is one of the "set of Primary
    > > servers".
    > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    >
    >
  46. Archived from groups: microsoft.public.win2000.security (More info?)

    It just seems to me now that you are confusing the
    SOA with the SOA RR
    All copies of the zone hold the SOA RR
    Only on a primary does the SOA RR name that
    DNS server as SOA
    In Bindish DNS this happens on only one DNS server
    whereas in MS AD integrated zones this happens on
    all DCs where the zone is held AD integrated.
    In all cases the zone is primary because the SOA
    that is indicated in the SOA RR is the DNS server.
    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:Oc1d%23zb9EHA.2032@tk2msftngp13.phx.gbl...
    > > No, I was NOT confusing them.
    > > I was explicitly stating the they are the same
    > > when the zone is primary.
    >
    > Well, there is no way that only the Primary, and
    > not secondaries, has an SOA record.
    >
    > The SOA is about the zone -- and the Secondaries
    > have a copy of this record.
    >
    > That is mentions the Primary doesn't mean they
    > don't HOLD a copy.
    >
    > --
    > Herb Martin
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:evo7a5Z9EHA.2316@TK2MSFTNGP15.phx.gbl...
    > > <quote>
    > > the zone holds an SOA record for the DNS server
    > > </quote>
    > > "for the DNS server"
    > > <quote>
    > > Ok, you are confusing "named in [the] SOA" [as primary]
    > > with "holds" the SOA record itself.
    > > </quote>
    > > No, I was NOT confusing them.
    > > I was explicitly stating the they are the same
    > > when the zone is primary.
    > > <quote>
    > > There is a much simpler way, and that is if it the SOA
    > > "editable" on that server it is one of the "set of Primary
    > > servers".
    > > </quote>
    > > which is exactly the effect of the server named in the
    > > SOA being the server the zone copy is hosted on,
    > > i.e.
    > > "the zone holds an SOA record for the DNS server"
    > >
    > > and, as an aside
    > > <quote>
    > > It's a poor distinction in any case since so many people are
    > > already confused about SOA records in general (or know
    > > nothing about them) and because they then extrapolate this
    > > confusion to claim that Secondaries are (incorrectly) not
    > > authoritative.
    > > </quote>
    > > Then they need to translate the S of SOA meaningfully,
    > > and to understand that they are thinking of NS records.
    > > --
    > > Roger
    > > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > news:eSO$mPW9EHA.3640@tk2msftngp13.phx.gbl...
    > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > > > news:#GdcLAU9EHA.2676@TK2MSFTNGP12.phx.gbl...
    > > > > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > > > > RE: "If it is SOA it is primary" -- What do you mean specifically
    > > > > > by this phrase?
    > > > > >
    > > > >
    > > > > If the zone holds an SOA record for the DNS server, then it is
    > > > > primary on that DNS server. If not, it is not, and so is secondary.
    > > >
    > > > No, that is just wrong -- all secondaries hold a copy of
    > > > the SOA. This is part of the mistaken terminology (and
    > > > just an odd way of saying it) that I try to correct.
    > > >
    > > > You know this if you think about your own secondaries
    > > > a momemt since all of them have that SOA record --
    > > > which like all other records on the secondary is not
    > > > editable.
    > > >
    > > > In BIND, or any traditional DNS you also know that the
    > > > the "zone transfer" is a file transfer of the entire zone file,
    > > > including the SOA records which functions as the HEADER
    > > > record of the zone.
    > > >
    > > > I see the problem below so keep reading please...
    > > >
    > > > > Now, it turns out that the RFC allows for only one SOA and so
    > > > > with AD integrated DNS zone one will see that the SOA resource
    > > > > record is different on each DC where it is hosted as an AD
    > > > > integrated primary zone. But, if a zone is in the DNS on a DC
    > > > > or otherwise, and that server is not named in SOA resource record
    > > > > in the zone data, then it is not primary (i.e. is secondary).
    > > >
    > > > Ok, you are confusing "named in [the] SOA" [as primary]
    > > > with "holds" the SOA record itself.
    > > >
    > > > It's a poor distinction in any case since so many people are
    > > > already confused about SOA records in general (or know
    > > > nothing about them) and because they then extrapolate this
    > > > confusion to claim that Secondaries are (incorrectly) not
    > > > authoritative.
    > > >
    > > > Traditionally the SOA record could only list one
    > > > "Primary server" because there was only one copy
    > > > of the replicated SOA record -- the same on all
    > > > authoritative servers.
    > > >
    > > > Today, each DC may have an editable copy/version
    > > > and the option arose to suppress the replication of that
    > > > specific field even though other elements must be
    > > > replicated (responsible person, serial number, etc.)
    > > > to maintain the zone integrity.
    > > >
    > > > There is a much simpler way, and that is if it the SOA
    > > > "editable" on that server it is one of the "set of Primary
    > > > servers".
    > > >
    > > >
    > > > --
    > > > Herb Martin
    > > >
    > > >
    > >
    > >
    >
    >
  47. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <eXUZ0aF9EHA.936@TK2MSFTNGP12.phx.gbl>, Roger Abell
    <mvpNOSpam@asu.edu> Thu, 6 Jan 2005 18:20:50 writes

    >> - not to mention the confusion to the poor punter like me, who
    >> expects that if I then remove a user from being a member of Users then
    >> he stops being a member of Users.
    >>
    >Once more, if you do not let INTERACTIVE and/or Authenticated Users be
    >a member of Users, then removing an account from the Users group does
    >in fact stop that account from being a member of Users. If INTERACTIVE
    >is a member of Users, then as soon as an account has logged in locally
    >INTERACTIVE is replaced by that account, making the account a member of
    >Users. Similarly with Authenticated Users, except that as soon as an
    >account has authenticated it becomes a member of Authenticated Users,
    >and hence of Users. You can remove these from Users if you do not want
    >this behavior.

    I think I will take you up on that suggestion the next time I want to
    secure a PC in similar circumstances. I see from an other of your
    replies that its removal can have repercussions on Guests but that is of
    no concern.

    It is simple when you know how!

    (I still think it is wrong for MS to set , by default, BOTH a user
    explicitly into Users and INTERACTIVE/Authenticated also into Users - do
    one or the other but not both. Having said it many times in this thread
    and been outvoted, I will now stop <bg>)

    PS - just been reading an other of your replies, so maybe not completely
    outvoted. You wrote:-

    >I have for years been very vocal with MS that having these two in the
    >default membership of Users is wrong, that it obviates just what Users
    >should be about, and that it make extra work for corps where specific
    >accounts and only those accounts are supposed to be allowed to log in
    >at specific machines.
    --
    Les Desser
    (The Reply-to address IS valid)
  48. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <OuFVOhF9EHA.2316@TK2MSFTNGP15.phx.gbl>, Roger Abell
    <mvpNOSpam@asu.edu> Thu, 6 Jan 2005 18:32:18 writes

    >> NT AUTHORITY\Authenticated Users (S-1-5-11)
    >> NT AUTHORITY\INTERACTIVE (S-1-5-4)
    >>
    >> (not sure of the bits in brackets)
    >>
    >
    >They are called the SIDs.

    [Snip details]

    Thanks. I have seen SIDs mentioned but need to read more :)
    >>
    >> I see I have stepped into a minefield - and the quicker I depart the
    >> healthier it would be :)
    >>
    >
    >Not necessarily.

    [....]

    Thanks for your support.
    >>
    >> I have kept this and several other posts for further reading. Should
    >> keep me out of mischief for a while.
    > . . . and if they do not, just remember the link www.reskits.com

    Duly noted. Thanks again.
    --
    Les Desser
    (The Reply-to address IS valid)
  49. Archived from groups: microsoft.public.win2000.security (More info?)

    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:#bstCBc9EHA.1300@TK2MSFTNGP14.phx.gbl...
    > It just seems to me now that you are confusing the
    > SOA with the SOA RR

    Of course I am talking abou the SOA record.

    What distinction are you making?


    > All copies of the zone hold the SOA RR
    > Only on a primary does the SOA RR name that
    > DNS server as SOA
Ask a new question

Read More

Security Microsoft Windows