[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

File permissions

Posted on 2003-10-21
10
Medium Priority
?
238 Views
Last Modified: 2013-12-04
When I set file permissions of any directory to "Deny" the permission "List Folder Contents" for members of the group "Users" it stops me a person that is only member of the group "Administrators" from viewing the contents of that directory.

Why is this happening ?
0
Comment
Question by:cweeks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9595445
This would most likely be because you are part of the Users group as well as the Administrators group.
Try this from the command prompt to check if you are part of the users group ..
>net localgroup users

If you need to remove yourself from the users group use this command ..
>net localgroup users username /del     <--- substitute your username for username
0
 

Author Comment

by:cweeks
ID: 9597130
I doesn't appear that I am a member of the group "Users", here is the ouput from the command you mentioned

C>net localgroup users
Alias name     users
Comment        Users are prevented from making accidental or intentional system-
wide changes.  Thus, Users can run certified applications, but not most legacy a
pplications

Members

-------------------------------------------------------------------------------
Chris Weeks
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
The command completed successfully.


0
 

Author Comment

by:cweeks
ID: 9597135
btw I am Cameron Weeks
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 49

Expert Comment

by:Akhater
ID: 9597366
What is happening is very Normal, because you are also part of the users group (users group is a special group and every local user is automatically added to this group)

Anyways you do not need to give Deny permission (since this permission overrides ALL other permissions) it is enough to only give permission to the group you want to access this folder and all other groups will have Implicit Deny. So right click on the folder properties go to permission and make sure u have only the group you want to give access listed and grant to it the wanted permission, dont give any permission to any one else (This is what is called implicit deny)

You should be Carefull using the Deny permission (or explicit deny) since it overrides all other permissions.

Hope this Helps

Regards,
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9599552
If you want to use Deny permissions remove yourself from all groups other than the administrators group.

Domain: Active Directory, Users and Computers, User, Member of Tab
Or
Local: Right Click on My Computer, Manage, Local Users and Groups, Users, User, Member of Tab
0
 

Author Comment

by:cweeks
ID: 9620488
To bkoehler-mpr, I have already used the "Computer Management" program to verify what groups I am in, and it very definatley only has me down as a member of "Administrators". I am not a member of "Users". This is what prompted the original question as it seems totally inccorect to me that effecting the permission for the group "Users" should in any way effect me. According to Akhater everyone is a member of "Users" even though XP does not list me as such, in fact even the "Effective permissions" tab suggests I still have full access for any given directory that I have chosen to deny "Users" some access to, however when it actually comes to accessing the directory it is a totally different story.

If Akhater is correct then, XP has a very confusing way of showing that I am actually a member of "Users", it seems to do this by infact showing that I am not a member of "Users".

Regardless of this, I will explain what I am actually trying to acheve. I am trying to stop "Users" from poking around on my hard drive. My idea is to hide all files such as those in the "Program Files" directory, however I don't want to stop "Users" from executing and using programs in those directories. The "user" concerned will only have access to these programs via shortcuts on there start menu. I realise people could guess at paths and file names to gain access, but that doesn't really both me. Getting to Akhater's suggestion of explict deny, I don't want to have to sort through all the various directories in "program files" and remove "Users" permissions from them.

Can my idea by done ?

And do I really have a problem with XP thinking I am actually it the users group when I am not ? Akhater do you have any documentation to back your suggestion up. Sorry to be a doubting Thomas but it doesn't really seem to fit.

Best regards, Cam..

0
 
LVL 49

Accepted Solution

by:
Akhater earned 800 total points
ID: 9620593
Regarding what you are trying to do no need to bother since users group only have Read & Execute permission on the Program Files Directory by default meaning that the users can only browse the Program Files directory and execute programs from it but cannot mess with it.

Now if you are in a Domain you could also implement a group policy that will restrict users access to the Drive C: thus disabling the users from browsing the directory also, but anyway giving them Deny access will leave them unable to execute programs also.

Regarding what I said and you didnt like, I have no documents but i have been teaching that stuff for 4 years and i know what i am talking about anyway here is some explanation.

If you open the users group you will notice that the "Authenticated Users" system group is part of it and that mean (in two words) that any user authenticated from your computer will be member of the users group and the user you are logging on with (even if he is not explicitly part of users group) has been authenticated by your computer and thus is part of the Users group, and since you are denying access to the users group you are also denying access to yourself since the Deny permission overrides all other permissions.

Hope this Helps


Regards
0
 

Author Comment

by:cweeks
ID: 9620947
Akhater, many thanks for the patience and bearing with me. I faintly suspected the "Authenticated Users" would lie at the bottom of it, but it seemed very odd to have the "Computer Management" program and the effective permissions tab ignore this little but seemingly very important loop hole, or is it just me ?

The question that now begs is what is a none authenticated user ? A Guest user ?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 9621053
well a none authenticated user is a ............ none authenticated user :) it could be a guest user or an anonymous user
0
 

Author Comment

by:cweeks
ID: 9622644
OK undetstood, thanks for the help.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question