can we remove a user from "EVERYONE" group

  • Thread starter Thread starter sphilip
  • Start date Start date
S

sphilip

i need to create 6 users in our domain but they should not
be in the everyone group, due to access rights. how do i
remove them from the everyone group.
 
hmmm, lets see... if you take someone out of the everyone group then the
everyone group is no longer everyone it is something else... maybe you
really want to limit what the everyone group has access to down to a bare
minimum. after all, 'everyone' should probably be the most limited possible
group of all since it implies that anyone is part of it. then create a
different group, or use one of the existing ones, that has more privileges
and add specific users to it.
 
sphilip said:
i need to create 6 users in our domain but they should not
be in the everyone group, due to access rights. how do i
remove them from the everyone group.
Click to expand...

You can't do that but neither should you have any need to do so. In fact,
you wouldn't want them NOT to be in that group. You would essentially be
stating to the security provider that all security requirements that are
enforced on everyone do not apply to the 6 users. Can you say the words:
hack me, please?

If you share a resource and choose to prevent access to the 6 users, only
share the resource to whatever groups don't include the 6 users. Of course,
you can deny the 6 users as well. But this is not recommended because deny
overides all, including a deny in the case one of the 6 is the
administrator.
 
Hi,

I suppose if you really have to deny those users you could:

-Create a new security group and add those six users to it
-Add an explicit deny to that security group on the folders they
shouldn't have access to.

I personally don't work like this -instead I start with nothing and
add groups of users as necessary. Also, avoid the temptation to
individually add the six users, create a group which is easier to
maintain in the future.

Kris.
 
Kris Shaw said:
Hi,

I suppose if you really have to deny those users you could:

-Create a new security group and add those six users to it
-Add an explicit deny to that security group on the folders they
shouldn't have access to.

I personally don't work like this -instead I start with nothing and
add groups of users as necessary. Also, avoid the temptation to
individually add the six users, create a group which is easier to
maintain in the future.

Kris.
Click to expand...

I agree, i only mentioned the deny option to provide an alternative, and a
dangerous alternative at that. Its much easier / safer to manage specifying
who has the permission than who should be denied. As specified in my post,
that is not recommended.

Lets face it, how many times have i found myself before an administrator who
states that he denied local logons at a DC to the domain users group and
then stated that he couldn't logon locally as admin anymore. Duh, admin is a
member of the domain users group.
 
Back
Top