Group permissions

How do you set/modify permissions in a group? Unless I completely skipped over a few pages, this Sybex books leaves it out. It tells how to create/delete, and add users to groups, but not how to actually set the permissions on the groups.

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

Orion82698

Well, once you have created the group and added the correct users to that group, you would then under the folder you wish to share out and give access to, right click>select properties. Select security>add>browse your domain (or workgroup) and select the group. You would then select the permissions you wish the group to have. Remember, when mixing NTFS and Share permissions, the most restrictive is the one that will take.

i.e

Share permissions are read only

NTFS permissions for a group are set to Modify

The group would have Read only.

The default for Share permissions is set to the Everyone group and Full controll. This way, by default, NTFS permissions are what takes.

Cool?

C

/usr

Thanks for the reply, but what about disabling certain items for a group, such as the Run command.

Orion82698

Well, it then depends on if you are a domain or workgroup based. If you were a domain, you would do this through a GPO (group policy). You would create the user account, create a group, add the user to the group, create and OU (organizational unit) and add the group to the OU. Then on the OU, create a group policy. It goes really in depth from here. If you are studying 70-210, don't focus too much on GPO's. Leave that for 70-215. It will explain it all then.

/usr

I'm studying 70-270 and just want to know how to apply this locally. Would I just use an LGPO if I was doing it in a Workgroup then?

I just picked that example at random. I see a bunch of things to set in the Local Policy snap-in and wondered where the rest of the items were. A lot of times accessing Run on a public machine is prohibited. Just wondered where the setting was.

Orion82698

Check out this link. It has a document that will explain it all. The best thing I can tell you, is to get two cheap machines, get yourself a eval copy of 2000/2003 and test things out. That is how I learned. Good luck to you!

http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Orion82698

No problem

For a LGPO, open a MMC and select User configuration. Drill down through Administrative templates>start menu and task bar. In there you will find "remove run menu from start menu". It's the same for a domain GPO as well. It also doesn't matter from XP/2000 or 2000/2003 server. 2003 just has some more advantages, from what I see.

C

garv221

I have set computers up with local security for public computers labs. I just use gpedit.msc & prevent access to the group policy folder in system32 who you DO NOT want the policy to apply too, for eveyone else- the policy you create applys- just like AD. Then change around settings in gpedit.msc like "prevent access to C:\" stuff like that. Works great with Ghost.

lazyart

garv221 wrote:

& prevent access to the group policy folder in system32 who you DO NOT want the policy to apply to

How clever.