Do all login users secretly belong to the Users group?

Archived from groups: microsoft.public.win2000.security (More info?)

I create a new user, make it a member of the Guests group and explicitly
remove it
from the Users group (so that the new user is a member of the Guests group
and no other group).

Strangely this new user has the "effective permissions" to "read & execute"
a file as if it was in the Users group. This is very odd behaviour.

My file has an ACL with "full control" ACEs for
SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
execute" ACE for the "Users" group (and no other ACEs).

Also if I log on as the new user in the Guests group I can read the file too.

What is going on?
3 answers Last reply
More about login users secretly belong users group
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    No. There is nothing at all secret about membership of Users group.
    Look at it. You will see either Authenticated Users or INTERACTIVE
    or both. An account is useless for console login if it is not a Users
    member. This is what INTERACTIVE guarantees.

    In today's world, with a default install configuration, Users is very
    little different from Everyone (if anonymous is not in Everyone).

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "sparky62" <sparky62@discussions.microsoft.com> wrote in message
    news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
    > I create a new user, make it a member of the Guests group and explicitly
    > remove it
    > from the Users group (so that the new user is a member of the Guests group
    > and no other group).
    >
    > Strangely this new user has the "effective permissions" to "read &
    execute"
    > a file as if it was in the Users group. This is very odd behaviour.
    >
    > My file has an ACL with "full control" ACEs for
    > SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
    > execute" ACE for the "Users" group (and no other ACEs).
    >
    > Also if I log on as the new user in the Guests group I can read the file
    too.
    >
    > What is going on?
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    from the description of the guests group:
    "Guests have the same access as members of the Users group by default,
    except for the Guest account which is further restricted"

    i seem to remember something about this happens because 'authenticated
    users' is part of the users group or some such thing like that. but i
    wouldn't try removing that, it may have other undesired effects.

    "sparky62" <sparky62@discussions.microsoft.com> wrote in message
    news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
    >I create a new user, make it a member of the Guests group and explicitly
    > remove it
    > from the Users group (so that the new user is a member of the Guests group
    > and no other group).
    >
    > Strangely this new user has the "effective permissions" to "read &
    > execute"
    > a file as if it was in the Users group. This is very odd behaviour.
    >
    > My file has an ACL with "full control" ACEs for
    > SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
    > execute" ACE for the "Users" group (and no other ACEs).
    >
    > Also if I log on as the new user in the Guests group I can read the file
    > too.
    >
    > What is going on?
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger explained why this is happening. Avoid using users/authenticated users
    [though authenticated users is more restrictive than users] group when you
    want to restrict access to folder/file. You could use explicit deny for a
    group like guests or better yet create your own groups to grant access to
    the folder/file to that specific group that does not include members you do
    not want to have access. When you logon as a user you create you can use the
    command "whoami /groups" to see the various groups that the user belongs to.
    You may need to install the support tools to use whoami. --- Steve


    "sparky62" <sparky62@discussions.microsoft.com> wrote in message
    news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
    >I create a new user, make it a member of the Guests group and explicitly
    > remove it
    > from the Users group (so that the new user is a member of the Guests group
    > and no other group).
    >
    > Strangely this new user has the "effective permissions" to "read &
    > execute"
    > a file as if it was in the Users group. This is very odd behaviour.
    >
    > My file has an ACL with "full control" ACEs for
    > SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
    > execute" ACE for the "Users" group (and no other ACEs).
    >
    > Also if I log on as the new user in the Guests group I can read the file
    > too.
    >
    > What is going on?
    >
Ask a new question

Read More

Login Windows