File permissions

Posted on 2003-10-21
Medium Priority
Last Modified: 2013-12-04
When I set file permissions of any directory to "Deny" the permission "List Folder Contents" for members of the group "Users" it stops me a person that is only member of the group "Administrators" from viewing the contents of that directory.

Why is this happening ?
Question by:cweeks

Expert Comment

ID: 9595445
This would most likely be because you are part of the Users group as well as the Administrators group.
Try this from the command prompt to check if you are part of the users group ..
>net localgroup users

If you need to remove yourself from the users group use this command ..
>net localgroup users username /del     <--- substitute your username for username

Author Comment

ID: 9597130
I doesn't appear that I am a member of the group "Users", here is the ouput from the command you mentioned

C>net localgroup users
Alias name     users
Comment        Users are prevented from making accidental or intentional system-
wide changes.  Thus, Users can run certified applications, but not most legacy a


Chris Weeks
NT AUTHORITY\Authenticated Users
The command completed successfully.


Author Comment

ID: 9597135
btw I am Cameron Weeks
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

LVL 49

Expert Comment

ID: 9597366
What is happening is very Normal, because you are also part of the users group (users group is a special group and every local user is automatically added to this group)

Anyways you do not need to give Deny permission (since this permission overrides ALL other permissions) it is enough to only give permission to the group you want to access this folder and all other groups will have Implicit Deny. So right click on the folder properties go to permission and make sure u have only the group you want to give access listed and grant to it the wanted permission, dont give any permission to any one else (This is what is called implicit deny)

You should be Carefull using the Deny permission (or explicit deny) since it overrides all other permissions.

Hope this Helps


Expert Comment

ID: 9599552
If you want to use Deny permissions remove yourself from all groups other than the administrators group.

Domain: Active Directory, Users and Computers, User, Member of Tab
Local: Right Click on My Computer, Manage, Local Users and Groups, Users, User, Member of Tab

Author Comment

ID: 9620488
To bkoehler-mpr, I have already used the "Computer Management" program to verify what groups I am in, and it very definatley only has me down as a member of "Administrators". I am not a member of "Users". This is what prompted the original question as it seems totally inccorect to me that effecting the permission for the group "Users" should in any way effect me. According to Akhater everyone is a member of "Users" even though XP does not list me as such, in fact even the "Effective permissions" tab suggests I still have full access for any given directory that I have chosen to deny "Users" some access to, however when it actually comes to accessing the directory it is a totally different story.

If Akhater is correct then, XP has a very confusing way of showing that I am actually a member of "Users", it seems to do this by infact showing that I am not a member of "Users".

Regardless of this, I will explain what I am actually trying to acheve. I am trying to stop "Users" from poking around on my hard drive. My idea is to hide all files such as those in the "Program Files" directory, however I don't want to stop "Users" from executing and using programs in those directories. The "user" concerned will only have access to these programs via shortcuts on there start menu. I realise people could guess at paths and file names to gain access, but that doesn't really both me. Getting to Akhater's suggestion of explict deny, I don't want to have to sort through all the various directories in "program files" and remove "Users" permissions from them.

Can my idea by done ?

And do I really have a problem with XP thinking I am actually it the users group when I am not ? Akhater do you have any documentation to back your suggestion up. Sorry to be a doubting Thomas but it doesn't really seem to fit.

Best regards, Cam..

LVL 49

Accepted Solution

Akhater earned 800 total points
ID: 9620593
Regarding what you are trying to do no need to bother since users group only have Read & Execute permission on the Program Files Directory by default meaning that the users can only browse the Program Files directory and execute programs from it but cannot mess with it.

Now if you are in a Domain you could also implement a group policy that will restrict users access to the Drive C: thus disabling the users from browsing the directory also, but anyway giving them Deny access will leave them unable to execute programs also.

Regarding what I said and you didnt like, I have no documents but i have been teaching that stuff for 4 years and i know what i am talking about anyway here is some explanation.

If you open the users group you will notice that the "Authenticated Users" system group is part of it and that mean (in two words) that any user authenticated from your computer will be member of the users group and the user you are logging on with (even if he is not explicitly part of users group) has been authenticated by your computer and thus is part of the Users group, and since you are denying access to the users group you are also denying access to yourself since the Deny permission overrides all other permissions.

Hope this Helps


Author Comment

ID: 9620947
Akhater, many thanks for the patience and bearing with me. I faintly suspected the "Authenticated Users" would lie at the bottom of it, but it seemed very odd to have the "Computer Management" program and the effective permissions tab ignore this little but seemingly very important loop hole, or is it just me ?

The question that now begs is what is a none authenticated user ? A Guest user ?
LVL 49

Expert Comment

ID: 9621053
well a none authenticated user is a ............ none authenticated user :) it could be a guest user or an anonymous user

Author Comment

ID: 9622644
OK undetstood, thanks for the help.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question