?
Solved

File permissions

Posted on 2003-10-21
10
Medium Priority
?
237 Views
Last Modified: 2013-12-04
When I set file permissions of any directory to "Deny" the permission "List Folder Contents" for members of the group "Users" it stops me a person that is only member of the group "Administrators" from viewing the contents of that directory.

Why is this happening ?
0
Comment
Question by:cweeks
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9595445
This would most likely be because you are part of the Users group as well as the Administrators group.
Try this from the command prompt to check if you are part of the users group ..
>net localgroup users

If you need to remove yourself from the users group use this command ..
>net localgroup users username /del     <--- substitute your username for username
0
 

Author Comment

by:cweeks
ID: 9597130
I doesn't appear that I am a member of the group "Users", here is the ouput from the command you mentioned

C>net localgroup users
Alias name     users
Comment        Users are prevented from making accidental or intentional system-
wide changes.  Thus, Users can run certified applications, but not most legacy a
pplications

Members

-------------------------------------------------------------------------------
Chris Weeks
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
The command completed successfully.


0
 

Author Comment

by:cweeks
ID: 9597135
btw I am Cameron Weeks
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 49

Expert Comment

by:Akhater
ID: 9597366
What is happening is very Normal, because you are also part of the users group (users group is a special group and every local user is automatically added to this group)

Anyways you do not need to give Deny permission (since this permission overrides ALL other permissions) it is enough to only give permission to the group you want to access this folder and all other groups will have Implicit Deny. So right click on the folder properties go to permission and make sure u have only the group you want to give access listed and grant to it the wanted permission, dont give any permission to any one else (This is what is called implicit deny)

You should be Carefull using the Deny permission (or explicit deny) since it overrides all other permissions.

Hope this Helps

Regards,
0
 
LVL 6

Expert Comment

by:bkoehler-mpr
ID: 9599552
If you want to use Deny permissions remove yourself from all groups other than the administrators group.

Domain: Active Directory, Users and Computers, User, Member of Tab
Or
Local: Right Click on My Computer, Manage, Local Users and Groups, Users, User, Member of Tab
0
 

Author Comment

by:cweeks
ID: 9620488
To bkoehler-mpr, I have already used the "Computer Management" program to verify what groups I am in, and it very definatley only has me down as a member of "Administrators". I am not a member of "Users". This is what prompted the original question as it seems totally inccorect to me that effecting the permission for the group "Users" should in any way effect me. According to Akhater everyone is a member of "Users" even though XP does not list me as such, in fact even the "Effective permissions" tab suggests I still have full access for any given directory that I have chosen to deny "Users" some access to, however when it actually comes to accessing the directory it is a totally different story.

If Akhater is correct then, XP has a very confusing way of showing that I am actually a member of "Users", it seems to do this by infact showing that I am not a member of "Users".

Regardless of this, I will explain what I am actually trying to acheve. I am trying to stop "Users" from poking around on my hard drive. My idea is to hide all files such as those in the "Program Files" directory, however I don't want to stop "Users" from executing and using programs in those directories. The "user" concerned will only have access to these programs via shortcuts on there start menu. I realise people could guess at paths and file names to gain access, but that doesn't really both me. Getting to Akhater's suggestion of explict deny, I don't want to have to sort through all the various directories in "program files" and remove "Users" permissions from them.

Can my idea by done ?

And do I really have a problem with XP thinking I am actually it the users group when I am not ? Akhater do you have any documentation to back your suggestion up. Sorry to be a doubting Thomas but it doesn't really seem to fit.

Best regards, Cam..

0
 
LVL 49

Accepted Solution

by:
Akhater earned 800 total points
ID: 9620593
Regarding what you are trying to do no need to bother since users group only have Read & Execute permission on the Program Files Directory by default meaning that the users can only browse the Program Files directory and execute programs from it but cannot mess with it.

Now if you are in a Domain you could also implement a group policy that will restrict users access to the Drive C: thus disabling the users from browsing the directory also, but anyway giving them Deny access will leave them unable to execute programs also.

Regarding what I said and you didnt like, I have no documents but i have been teaching that stuff for 4 years and i know what i am talking about anyway here is some explanation.

If you open the users group you will notice that the "Authenticated Users" system group is part of it and that mean (in two words) that any user authenticated from your computer will be member of the users group and the user you are logging on with (even if he is not explicitly part of users group) has been authenticated by your computer and thus is part of the Users group, and since you are denying access to the users group you are also denying access to yourself since the Deny permission overrides all other permissions.

Hope this Helps


Regards
0
 

Author Comment

by:cweeks
ID: 9620947
Akhater, many thanks for the patience and bearing with me. I faintly suspected the "Authenticated Users" would lie at the bottom of it, but it seemed very odd to have the "Computer Management" program and the effective permissions tab ignore this little but seemingly very important loop hole, or is it just me ?

The question that now begs is what is a none authenticated user ? A Guest user ?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 9621053
well a none authenticated user is a ............ none authenticated user :) it could be a guest user or an anonymous user
0
 

Author Comment

by:cweeks
ID: 9622644
OK undetstood, thanks for the help.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month8 days, 22 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question