G
Guest
I am currently investigating how Effective Permissions calculations work on
Windows. I am considering all the server versions of Windows however I
restrict my discussion to Windows 2003 Server here as it has a tool to
calculate the Effective Permissions. My domain scenario is as follows:
Number of domains : 1 running on Win2k SP4 AS
I create a new user in the domain say UserX and a new global group say
GroupY and make UserX a member of GroupY.
To experiment with I first assigned Everyone group full control on a
particular directory and Authenticated Users only write control on the
directory. Now according to Microsoft Everyone group includes Authenticated
Users too. So whenever effective permissions are being calculated for
Autenticated Users; we should expect Auth Users to have full control. However
this does not happen.Instead Aut Users is shown as just having a "Write"
permission assigned to them. Howevever if I create domain user and specify an
ACE for the domain user on the folder saying that this domain user has "Read
Permissions" ; the Effective permissions tab for this user shows that he has
full control which is correct as the user gets the cumilative permissions of
the Everyone group and the Authenticated Users group. Why is there a
discrepancy between the results shown for Auth Users and results shown for
the domain user?
The same situation exists for any domain group too. The effective
permissions calculation does not seem to taking into account that the NT
Authority\Users group on the system that I am currently carrying out my
experiments also contains the <DOMAIN NAME>\Domain Users group which in turn
contains the Global group G I have created.
Summarizing it seems like the effective permissions tool works perfectly for
users but it appears that it works differently for groups.
Can someone please help me out of this dilemma
Thanks and Regards
Prahalad
Windows. I am considering all the server versions of Windows however I
restrict my discussion to Windows 2003 Server here as it has a tool to
calculate the Effective Permissions. My domain scenario is as follows:
Number of domains : 1 running on Win2k SP4 AS
I create a new user in the domain say UserX and a new global group say
GroupY and make UserX a member of GroupY.
To experiment with I first assigned Everyone group full control on a
particular directory and Authenticated Users only write control on the
directory. Now according to Microsoft Everyone group includes Authenticated
Users too. So whenever effective permissions are being calculated for
Autenticated Users; we should expect Auth Users to have full control. However
this does not happen.Instead Aut Users is shown as just having a "Write"
permission assigned to them. Howevever if I create domain user and specify an
ACE for the domain user on the folder saying that this domain user has "Read
Permissions" ; the Effective permissions tab for this user shows that he has
full control which is correct as the user gets the cumilative permissions of
the Everyone group and the Authenticated Users group. Why is there a
discrepancy between the results shown for Auth Users and results shown for
the domain user?
The same situation exists for any domain group too. The effective
permissions calculation does not seem to taking into account that the NT
Authority\Users group on the system that I am currently carrying out my
experiments also contains the <DOMAIN NAME>\Domain Users group which in turn
contains the Global group G I have created.
Summarizing it seems like the effective permissions tool works perfectly for
users but it appears that it works differently for groups.
Can someone please help me out of this dilemma
Thanks and Regards
Prahalad