Rich Evans said:
In the Active Directory you can add not only users and groups to a
file or folder Security list, but also computer accounts. What results
from granting Change permission on a folder to a computer account?
It's going to sound redundant but it would allow the computers account
(presumably you mean it's account in the domain) to Change that
resource.
Does this mean that _anyone_ logged into that machine has Change
permission?
Not at all - it give NO ONE except the computer additional access.
Or does it mean any local account on that machine has
Change permission?
Yes.
This is seldom dones since most resource access is by "user accounts"
but as of Win2000, computer accounts were made "first class security
objects" (full security principles).
This "first class" behavior means that you can place the computer
account into groups and grant or deny it permissions or rights on
the network/domain resources.
Under NT, you could use the "system" account but this was a purely
local account and could not be granted access on network resources
as a domain account can (now) be granted.
Mostly this feature is used for two main purposes:
1) Filtering GPO objects so that they only apply to a subset of
the computer accounts in a domain or OU.
2) Allowing accessing to files on the network for so that
Group Policy "software assignments" to the computer can be
fetched from the network shares by the computer account even
before any user is logged on.
Of course, you can use this feature for any granting or denying of
permissions or rights that make sense for a "computer" ITSELF,
but the above two are the obvious new situation for which the
feature was primarily enabled in Win2000+.
