Sign in with
Sign up | Sign in
Your question

Do all login users secretly belong to the Users group?

Last response: in Windows 2000/NT
Share
Anonymous
May 12, 2005 3:24:04 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I create a new user, make it a member of the Guests group and explicitly
remove it
from the Users group (so that the new user is a member of the Guests group
and no other group).

Strangely this new user has the "effective permissions" to "read & execute"
a file as if it was in the Users group. This is very odd behaviour.

My file has an ACL with "full control" ACEs for
SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
execute" ACE for the "Users" group (and no other ACEs).

Also if I log on as the new user in the Guests group I can read the file too.

What is going on?
Anonymous
May 12, 2005 5:08:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

No. There is nothing at all secret about membership of Users group.
Look at it. You will see either Authenticated Users or INTERACTIVE
or both. An account is useless for console login if it is not a Users
member. This is what INTERACTIVE guarantees.

In today's world, with a default install configuration, Users is very
little different from Everyone (if anonymous is not in Everyone).

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
> I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
too.
>
> What is going on?
>
May 12, 2005 6:39:52 PM

Archived from groups: microsoft.public.win2000.security (More info?)

from the description of the guests group:
"Guests have the same access as members of the Users group by default,
except for the Guest account which is further restricted"

i seem to remember something about this happens because 'authenticated
users' is part of the users group or some such thing like that. but i
wouldn't try removing that, it may have other undesired effects.

"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
>I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
> execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
> too.
>
> What is going on?
>
Anonymous
May 13, 2005 4:27:48 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Roger explained why this is happening. Avoid using users/authenticated users
[though authenticated users is more restrictive than users] group when you
want to restrict access to folder/file. You could use explicit deny for a
group like guests or better yet create your own groups to grant access to
the folder/file to that specific group that does not include members you do
not want to have access. When you logon as a user you create you can use the
command "whoami /groups" to see the various groups that the user belongs to.
You may need to install the support tools to use whoami. --- Steve


"sparky62" <sparky62@discussions.microsoft.com> wrote in message
news:095DFEA0-C5A2-4C38-8549-D60C4E32B5A8@microsoft.com...
>I create a new user, make it a member of the Guests group and explicitly
> remove it
> from the Users group (so that the new user is a member of the Guests group
> and no other group).
>
> Strangely this new user has the "effective permissions" to "read &
> execute"
> a file as if it was in the Users group. This is very odd behaviour.
>
> My file has an ACL with "full control" ACEs for
> SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
> execute" ACE for the "Users" group (and no other ACEs).
>
> Also if I log on as the new user in the Guests group I can read the file
> too.
>
> What is going on?
>
!