Membership -- local built-in group Users -- NTFS permissions

CVdhCVdh Registered Users Posts: 1 ■□□□□□□□□□
Dear,

Can somebody help me?

My initial admin account (made with the installation of windows7) is Marie.
When I look at the Local Users and Groups snap-in of MMC, she's member of the group administrators but not of the group Users.

BUT
then I made a folder "Test".
I disabled the inheritance.
Then I gave the group Users deny permissions of this folder.
The administrators group I gave full control permissions.

The strange thing is that Marie gets also deny permissions though she's not a member of the local group Users but she's member of the group Administrators.

Can somebody give me an anwser on this problem?

Thanks in advance!!

Kind Regards.

Comments

  • NamaSayaRubenNamaSayaRuben Member Posts: 23 ■□□□□□□□□□
    CVdh wrote: »
    Dear,

    Can somebody help me?

    My initial admin account (made with the installation of windows7) is Marie.
    When I look at the Local Users and Groups snap-in of MMC, she's member of the group administrators but not of the group Users.

    BUT
    then I made a folder "Test".
    I disabled the inheritance.
    Then I gave the group Users deny permissions of this folder.
    The administrators group I gave full control permissions.

    The strange thing is that Marie gets also deny permissions though she's not a member of the local group Users but she's member of the group Administrators.

    Can somebody give me an anwser on this problem?

    Thanks in advance!!

    Kind Regards.

    That's interesting. I remember having an odd experience with NTFS when Windows 2000 came out. Instead of reapplying my security token at login, it applied with permissions immediately. Even our MCSE, MCT instructor was puzzled about that. Let me see if I can replicate this though. Naturally I would have assumed the user was a member of the users group, but you noted it wasn't.

    Edit:

    I tested it. It seems if you Deny "READ" to the User Group the Admin seems to still have access directly. However if you Deny all the permissions "Full Control" the Admin no longer has access. That's an interesting find. Perhaps I am unaware of something here myself. I've often found that Deny is something you use very sparingly and it sometimes benefits to just deny a specific user rather than a group. Or just remove the group or user completely from the folder ACL. The Windows 7 Exam didn't really hit too many NTFS questions other than the standard move and copy scenarios and share permissions applying over the network.

    I'm going to play with the settings a bit though I am intrigued myself. As I said though, if you are studying for your exam, don't get hung up on this one thing too long.
  • NamaSayaRubenNamaSayaRuben Member Posts: 23 ■□□□□□□□□□
    I did a little research. From what others have experienced this seems oddly, well...normal. Most seem to indicate that since the Administrator is still considered a "User" the Deny permission will apply to him as well. I find this a little odd myself.

    But it is still odd that I had access as admin if only the "read" permission was denied.

    Re: You have been denied permission to access... - Microsoft Windows Vista Community Forums - Vistaheads

    Denying "User" account access also denies Admin account - Microsoft Answers
  • NamaSayaRubenNamaSayaRuben Member Posts: 23 ■□□□□□□□□□
    This is what the permissions look like to my admin account if you only DENY the "READ" permission to the Users group.

    This is what the permissions look like to my admin account if you DENY all permissions "Full Control" to the Users group.
  • undomielundomiel Member Posts: 2,818
    Run "whomai /groups" and you'll see what the default group membership looks for a user. You'll most likely find that the user is showing as a member of the Users group. Run a "net localgroup users" and you should find that Authenticated Users are a member of the Users group. That would be where the membership in the Users group is coming from. As for the original task of denying Users group members access to a folder I would recommend just removing their permissions to the folder. Deny is a very dangerous permission as it overrides allow. In most cases it is much better, safer and easier to just remove the allow permission. It will make your troubleshooting a whole lot easier as well.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • humdingy02humdingy02 Member Posts: 35 ■■□□□□□□□□
    This may be a Windows 7 / UAC issue. Users run most applications as a standard user, even if they're in the Administrators group. That's why you sometimes need to right click an app and select "Run as Administrator", even though you technically are an administrator.
    Try opening Windows Explorer with the Run as Administrator option.
    WGU - BS, IT Security (starting Feb 1st, 2012)
    Remaining: LUT1,QBT1,DFV1,BOV1,HHT1,QLT1,RIT1,IWC1,IWT1,DJV1,KET1,TPV1,MGC1,CVV1,CJV1,KFT1,CNV1,SBT1,RGT1
    Completed: WFV1,CLC1,INT1,CUV1,CQV1,BNC1,GAC1
    Transferred: AGC1,BBC1,LAE1,AXV1,CPV1,INC1,CSV1,COV1,CTV1,DHV1,BVC1
  • NamaSayaRubenNamaSayaRuben Member Posts: 23 ■□□□□□□□□□
    undomiel wrote: »
    Run "whomai /groups" and you'll see what the default group membership looks for a user. You'll most likely find that the user is showing as a member of the Users group. Run a "net localgroup users" and you should find that Authenticated Users are a member of the Users group. That would be where the membership in the Users group is coming from. As for the original task of denying Users group members access to a folder I would recommend just removing their permissions to the folder. Deny is a very dangerous permission as it overrides allow. In most cases it is much better, safer and easier to just remove the allow permission. It will make your troubleshooting a whole lot easier as well.

    The whoami command is perfect, and indeed does show Users as a "mandatory group" for the account. Thanks for pointing that out.icon_cheers.gif
Sign In or Register to comment.