Solved

File permissions

Posted on 2003-10-21
10
235 Views
Last Modified: 2013-12-04
When I set file permissions of any directory to "Deny" the permission "List Folder Contents" for members of the group "Users" it stops me a person that is only member of the group "Administrators" from viewing the contents of that directory.

Why is this happening ?
0
Comment
Question by:cweeks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9595445
This would most likely be because you are part of the Users group as well as the Administrators group.
Try this from the command prompt to check if you are part of the users group ..
>net localgroup users

If you need to remove yourself from the users group use this command ..
>net localgroup users username /del     <--- substitute your username for username
0
 

Author Comment

by:cweeks
ID: 9597130
I doesn't appear that I am a member of the group "Users", here is the ouput from the command you mentioned

C>net localgroup users
Alias name     users
Comment        Users are prevented from making accidental or intentional system-
wide changes.  Thus, Users can run certified applications, but not most legacy a
pplications

Members

-------------------------------------------------------------------------------
Chris Weeks
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
The command completed successfully.


0
 

Author Comment

by:cweeks
ID: 9597135
btw I am Cameron Weeks
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 49

Expert Comment

by:Akhater
ID: 9597366
What is happening is very Normal, because you are also part of the users group (users group is a special group and every local user is automatically added to this group)

Anyways you do not need to give Deny permission (since this permission overrides ALL other permissions) it is enough to only give permission to the group you want to access this folder and all other groups will have Implicit Deny. So right click on the folder properties go to permission and make sure u have only the group you want to give access listed and grant to it the wanted permission, dont give any permission to any one else (This is what is called implicit deny)

You should be Carefull using the Deny permission (or explicit deny) since it overrides all other permissions.

Hope this Helps

Regards,
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9599552
If you want to use Deny permissions remove yourself from all groups other than the administrators group.

Domain: Active Directory, Users and Computers, User, Member of Tab
Or
Local: Right Click on My Computer, Manage, Local Users and Groups, Users, User, Member of Tab
0
 

Author Comment

by:cweeks
ID: 9620488
To bkoehler-mpr, I have already used the "Computer Management" program to verify what groups I am in, and it very definatley only has me down as a member of "Administrators". I am not a member of "Users". This is what prompted the original question as it seems totally inccorect to me that effecting the permission for the group "Users" should in any way effect me. According to Akhater everyone is a member of "Users" even though XP does not list me as such, in fact even the "Effective permissions" tab suggests I still have full access for any given directory that I have chosen to deny "Users" some access to, however when it actually comes to accessing the directory it is a totally different story.

If Akhater is correct then, XP has a very confusing way of showing that I am actually a member of "Users", it seems to do this by infact showing that I am not a member of "Users".

Regardless of this, I will explain what I am actually trying to acheve. I am trying to stop "Users" from poking around on my hard drive. My idea is to hide all files such as those in the "Program Files" directory, however I don't want to stop "Users" from executing and using programs in those directories. The "user" concerned will only have access to these programs via shortcuts on there start menu. I realise people could guess at paths and file names to gain access, but that doesn't really both me. Getting to Akhater's suggestion of explict deny, I don't want to have to sort through all the various directories in "program files" and remove "Users" permissions from them.

Can my idea by done ?

And do I really have a problem with XP thinking I am actually it the users group when I am not ? Akhater do you have any documentation to back your suggestion up. Sorry to be a doubting Thomas but it doesn't really seem to fit.

Best regards, Cam..

0
 
LVL 49

Accepted Solution

by:
Akhater earned 200 total points
ID: 9620593
Regarding what you are trying to do no need to bother since users group only have Read & Execute permission on the Program Files Directory by default meaning that the users can only browse the Program Files directory and execute programs from it but cannot mess with it.

Now if you are in a Domain you could also implement a group policy that will restrict users access to the Drive C: thus disabling the users from browsing the directory also, but anyway giving them Deny access will leave them unable to execute programs also.

Regarding what I said and you didnt like, I have no documents but i have been teaching that stuff for 4 years and i know what i am talking about anyway here is some explanation.

If you open the users group you will notice that the "Authenticated Users" system group is part of it and that mean (in two words) that any user authenticated from your computer will be member of the users group and the user you are logging on with (even if he is not explicitly part of users group) has been authenticated by your computer and thus is part of the Users group, and since you are denying access to the users group you are also denying access to yourself since the Deny permission overrides all other permissions.

Hope this Helps


Regards
0
 

Author Comment

by:cweeks
ID: 9620947
Akhater, many thanks for the patience and bearing with me. I faintly suspected the "Authenticated Users" would lie at the bottom of it, but it seemed very odd to have the "Computer Management" program and the effective permissions tab ignore this little but seemingly very important loop hole, or is it just me ?

The question that now begs is what is a none authenticated user ? A Guest user ?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 9621053
well a none authenticated user is a ............ none authenticated user :) it could be a guest user or an anonymous user
0
 

Author Comment

by:cweeks
ID: 9622644
OK undetstood, thanks for the help.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question