Solved

File permissions

Posted on 2003-10-21
10
234 Views
Last Modified: 2013-12-04
When I set file permissions of any directory to "Deny" the permission "List Folder Contents" for members of the group "Users" it stops me a person that is only member of the group "Administrators" from viewing the contents of that directory.

Why is this happening ?
0
Comment
Question by:cweeks
10 Comments
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9595445
This would most likely be because you are part of the Users group as well as the Administrators group.
Try this from the command prompt to check if you are part of the users group ..
>net localgroup users

If you need to remove yourself from the users group use this command ..
>net localgroup users username /del     <--- substitute your username for username
0
 

Author Comment

by:cweeks
ID: 9597130
I doesn't appear that I am a member of the group "Users", here is the ouput from the command you mentioned

C>net localgroup users
Alias name     users
Comment        Users are prevented from making accidental or intentional system-
wide changes.  Thus, Users can run certified applications, but not most legacy a
pplications

Members

-------------------------------------------------------------------------------
Chris Weeks
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
The command completed successfully.


0
 

Author Comment

by:cweeks
ID: 9597135
btw I am Cameron Weeks
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 49

Expert Comment

by:Akhater
ID: 9597366
What is happening is very Normal, because you are also part of the users group (users group is a special group and every local user is automatically added to this group)

Anyways you do not need to give Deny permission (since this permission overrides ALL other permissions) it is enough to only give permission to the group you want to access this folder and all other groups will have Implicit Deny. So right click on the folder properties go to permission and make sure u have only the group you want to give access listed and grant to it the wanted permission, dont give any permission to any one else (This is what is called implicit deny)

You should be Carefull using the Deny permission (or explicit deny) since it overrides all other permissions.

Hope this Helps

Regards,
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9599552
If you want to use Deny permissions remove yourself from all groups other than the administrators group.

Domain: Active Directory, Users and Computers, User, Member of Tab
Or
Local: Right Click on My Computer, Manage, Local Users and Groups, Users, User, Member of Tab
0
 

Author Comment

by:cweeks
ID: 9620488
To bkoehler-mpr, I have already used the "Computer Management" program to verify what groups I am in, and it very definatley only has me down as a member of "Administrators". I am not a member of "Users". This is what prompted the original question as it seems totally inccorect to me that effecting the permission for the group "Users" should in any way effect me. According to Akhater everyone is a member of "Users" even though XP does not list me as such, in fact even the "Effective permissions" tab suggests I still have full access for any given directory that I have chosen to deny "Users" some access to, however when it actually comes to accessing the directory it is a totally different story.

If Akhater is correct then, XP has a very confusing way of showing that I am actually a member of "Users", it seems to do this by infact showing that I am not a member of "Users".

Regardless of this, I will explain what I am actually trying to acheve. I am trying to stop "Users" from poking around on my hard drive. My idea is to hide all files such as those in the "Program Files" directory, however I don't want to stop "Users" from executing and using programs in those directories. The "user" concerned will only have access to these programs via shortcuts on there start menu. I realise people could guess at paths and file names to gain access, but that doesn't really both me. Getting to Akhater's suggestion of explict deny, I don't want to have to sort through all the various directories in "program files" and remove "Users" permissions from them.

Can my idea by done ?

And do I really have a problem with XP thinking I am actually it the users group when I am not ? Akhater do you have any documentation to back your suggestion up. Sorry to be a doubting Thomas but it doesn't really seem to fit.

Best regards, Cam..

0
 
LVL 49

Accepted Solution

by:
Akhater earned 200 total points
ID: 9620593
Regarding what you are trying to do no need to bother since users group only have Read & Execute permission on the Program Files Directory by default meaning that the users can only browse the Program Files directory and execute programs from it but cannot mess with it.

Now if you are in a Domain you could also implement a group policy that will restrict users access to the Drive C: thus disabling the users from browsing the directory also, but anyway giving them Deny access will leave them unable to execute programs also.

Regarding what I said and you didnt like, I have no documents but i have been teaching that stuff for 4 years and i know what i am talking about anyway here is some explanation.

If you open the users group you will notice that the "Authenticated Users" system group is part of it and that mean (in two words) that any user authenticated from your computer will be member of the users group and the user you are logging on with (even if he is not explicitly part of users group) has been authenticated by your computer and thus is part of the Users group, and since you are denying access to the users group you are also denying access to yourself since the Deny permission overrides all other permissions.

Hope this Helps


Regards
0
 

Author Comment

by:cweeks
ID: 9620947
Akhater, many thanks for the patience and bearing with me. I faintly suspected the "Authenticated Users" would lie at the bottom of it, but it seemed very odd to have the "Computer Management" program and the effective permissions tab ignore this little but seemingly very important loop hole, or is it just me ?

The question that now begs is what is a none authenticated user ? A Guest user ?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 9621053
well a none authenticated user is a ............ none authenticated user :) it could be a guest user or an anonymous user
0
 

Author Comment

by:cweeks
ID: 9622644
OK undetstood, thanks for the help.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
OfficeMate Freezes on login or does not load after login credentials are input.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question