Do all login users secretly belong to the Users group?

G

Guest

I create a new user, make it a member of the Guests group and explicitly
remove it
from the Users group (so that the new user is a member of the Guests group
and no other group).

Strangely this new user has the "effective permissions" to "read & execute"
a file as if it was in the Users group. This is very odd behaviour.

My file has an ACL with "full control" ACEs for
SYSTEM, Administrators and CURRENT OWNER (Administrator), and a "read &
execute" ACE for the "Users" group (and no other ACEs).

Also if I log on as the new user in the Guests group I can read the file too.

What is going on?
 
D

Dave

from the description of the guests group:
"Guests have the same access as members of the Users group by default,
except for the Guest account which is further restricted"

i seem to remember something about this happens because 'authenticated
users' is part of the users group or some such thing like that. but i
wouldn't try removing that, it may have other undesired effects.
 
R

Roger Abell

No. There is nothing at all secret about membership of Users group.
Look at it. You will see either Authenticated Users or INTERACTIVE
or both. An account is useless for console login if it is not a Users
member. This is what INTERACTIVE guarantees.

In today's world, with a default install configuration, Users is very
little different from Everyone (if anonymous is not in Everyone).
 
S

Steven L Umbach

Roger explained why this is happening. Avoid using users/authenticated users
[though authenticated users is more restrictive than users] group when you
want to restrict access to folder/file. You could use explicit deny for a
group like guests or better yet create your own groups to grant access to
the folder/file to that specific group that does not include members you do
not want to have access. When you logon as a user you create you can use the
command "whoami /groups" to see the various groups that the user belongs to.
You may need to install the support tools to use whoami. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Realation between Guests and Users groups 5
Local Power Users Group 3
Authenticated Users & Interactive groups 2
Privilages - how to set it? 1
User with Read-Only can rename folder 1
Interactive users group - Could it be a BUG ? 1
Hiding programs from Guests group? 4
How to delete all 'users' and recreate administrator profile in XP ? 5

Top