Local login and access WITHOUT NTFS-Permission

[Thomas Bert]

Hi NG,

need help or explanation (I'm German, so probably some terms are not correct?)

- W2k-Prof in Workgroup; all SPs and Patches
- MS FTP-Server; no anonymous login allowed
- all Volumes with NTFS; permission only for Administrators and Users (System);
NO permissions for Everyone


My Problem:
- Some User-Accounts are members of only one group: "ftp-out"
- this group has the right "local login"(?) "logon local"(?) (german OS)
-> I think i need this for FTP-Access???
- FTP-folders are the only place where this group has any NTFS-permissions
NOW:
=> those Accounts can logon local AND access files+folders without any
NTFS-permission; ACLs definitly only contain "Administrators" and "Users"
How can this happen???

After short tests I think those Accounts are treated as if they were members of
the "User"-Group? They are definitely not!

Is that normal? Or where's my mistake?


Thanks for help
Thomas

 

[Steven Umbach]

Any user created on a computer is a member of the users group automatically.
Give that group deny permissions to folders you do no want them to have access
to. Do not however change/add any NTFS permissions on the system \winnt folder
or subfolders. -- Steve

 

[Thomas Bert]

Any user created on a computer is a member of the users group automatically.
Give that group deny permissions to folders you do no want them to have access
to. Do not however change/add any NTFS permissions on the system \winnt folder
or subfolders. -- Steve

My "ftp-out"-accounts are no longer members of the users group; I removed them.
Are you telling me, if have to deny access for ftp-out group on every folder
they shouldn't access?
Even if they don't have any permissions? Is this a feature or a bug or whatfor?

Between: Short try makes me belief it could work this way. But it would mean
much work and time
and complexer structure of permissions and groups I wanted to establish

Thomas

 

[Steven L Umbach]

My experience is that you can not actually remove a user from the users
group even if it appears that you have. This may be protection by the
operating system to keep a user from being denied access to the operating
system or other resources. That leaves the options to either remove the
users group and replace it with groups that are allowed access to a
resource or give the groups that should not have access to a resource deny
permissions keeping in mind that explicit allow permissions overide
inherited deny permissions. --- Steve

 

[Thomas Bert]

My experience is that you can not actually remove a user from the users
group even if it appears that you have. This may be protection by the
operating system to keep a user from being denied access to the operating
system or other resources. That leaves the options to either remove the
users group and replace it with groups that are allowed access to a
resource or give the groups that should not have access to a resource deny
permissions keeping in mind that explicit allow permissions overide
inherited deny permissions. --- Steve

I think you're right. Thank's - so I learned something important, but I can't
say that I like it...

Thomas