Do all login users secretly belong to the Users group?
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.security (More info?)
I create a new user, make it a member of the Guests group and explicitly
remove it
from the Users group (so that the new user is a member of the Guests group
and no other group).
Strangely this new user has the "effective permissions" to "read & execute"
a file as if it was in the Users group. This is very odd behaviour.
My file has an ACL with "full control" ACEs for
SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
execute" ACE for the "Users" group (and no other ACEs).
Also if I log on as the new user in the Guests group I can read the file too.
What is going on?
I create a new user, make it a member of the Guests group and explicitly
remove it
from the Users group (so that the new user is a member of the Guests group
and no other group).
Strangely this new user has the "effective permissions" to "read & execute"
a file as if it was in the Users group. This is very odd behaviour.
My file has an ACL with "full control" ACEs for
SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
execute" ACE for the "Users" group (and no other ACEs).
Also if I log on as the new user in the Guests group I can read the file too.
What is going on?
More about : login users secretly belong users group
Archived from groups: microsoft.public.win2000.security (More info?)
No. There is nothing at all secret about membership of Users group.
Look at it. You will see either Authenticated Users or INTERACTIVE
or both. An account is useless for console login if it is not a Users
member. This is what INTERACTIVE guarantees.
In today's world, with a default install configuration, Users is very
little different from Everyone (if anonymous is not in Everyone).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
> I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
too.
>
> What is going on?
>
No. There is nothing at all secret about membership of Users group.
Look at it. You will see either Authenticated Users or INTERACTIVE
or both. An account is useless for console login if it is not a Users
member. This is what INTERACTIVE guarantees.
In today's world, with a default install configuration, Users is very
little different from Everyone (if anonymous is not in Everyone).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
> I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
too.
>
> What is going on?
>
Archived from groups: microsoft.public.win2000.security (More info?)
from the description of the guests group:
"Guests have the same access as members of the Users group by default,
except for the Guest account which is further restricted"
i seem to remember something about this happens because 'authenticated
users' is part of the users group or some such thing like that. but i
wouldn't try removing that, it may have other undesired effects.
"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
>I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
> execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
> too.
>
> What is going on?
>
from the description of the guests group:
"Guests have the same access as members of the Users group by default,
except for the Guest account which is further restricted"
i seem to remember something about this happens because 'authenticated
users' is part of the users group or some such thing like that. but i
wouldn't try removing that, it may have other undesired effects.
"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
>I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
> execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
> too.
>
> What is going on?
>
Archived from groups: microsoft.public.win2000.security (More info?)
Roger explained why this is happening. Avoid using users/authenticated users
[though authenticated users is more restrictive than users] group when you
want to restrict access to folder/file. You could use explicit deny for a
group like guests or better yet create your own groups to grant access to
the folder/file to that specific group that does not include members you do
not want to have access. When you logon as a user you create you can use the
command "whoami /groups" to see the various groups that the user belongs to.
You may need to install the support tools to use whoami. --- Steve
"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
>I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
> execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
> too.
>
> What is going on?
>
Roger explained why this is happening. Avoid using users/authenticated users
[though authenticated users is more restrictive than users] group when you
want to restrict access to folder/file. You could use explicit deny for a
group like guests or better yet create your own groups to grant access to
the folder/file to that specific group that does not include members you do
not want to have access. When you logon as a user you create you can use the
command "whoami /groups" to see the various groups that the user belongs to.
You may need to install the support tools to use whoami. --- Steve
"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
>I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
> execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
> too.
>
> What is going on?
>
Related ressources:
- ForumUsers can't allow Adobe & Java updates, propmts for an admin login
- ForumUsers Group
- ForumDisplaying domain users and groups they belong to in list
- ForumLogon issues with Domain Users group
- ForumAll your Macs are belong to us...
- ForumUsers and USB memory sticks
- ForumChanged computer users to work group but now it wont let me log in because it ca
- ForumLogin name is not same as username
- Forumlimit domain user login to specific group on 2 xp machines
- Forumuser group set not login in local, why administrator also ..
- ForumUsers can not login
- ForumPreventing users from closing the login script button
- ForumPower Users Group
- ForumPreventing users from closing the login script
- ForumGroup Policy effects on All Users
- ForumUsers can login , but not logout
- ForumNo users can access 'Shared Documents' folder
- Forumusers last login time
- ForumParallel and com ports not appearing in device manager
- ForumProper Settings for Group Policy
- More resources
!
