Permissions problems

I

ian

I am using windows xp pro with sp2 and trying to alter my file
permissions in the "All users" folder so that the limited users on my
computer can't delete the files, just read them. This works, but
suddenly I can't delete them either.

The way it's set up is:

Administrators - Full control
Users - Can read and execute, all others (including delete and delete
subfolders) denied.

This is set on the "All users" folder and copied to all child objects
within that folder.

Though this sets it up correctly for limited users (after allowing
everyone access to "All Users\Application
Data\Microsoft\OFFICE\DATA\opa11.dat" so that MO will work), the
administrator user seems to get the same restrictions as normal users
in that folder, even though I checked and my Admin user area is ONLY a
member of the "Administrators" group and not the "Users" group, yet it
wont let me delete the files. Does Windows xp consider Administrators
to be in the "Users" group even though you've taken them out of it? It
would seem that way but that doesn't seem right to me. Anyone know
about this and how to get around it?
 
S

Steven L Umbach

Yes administrators can be members of the users group and certainly will be
members of authenticated users and everyone so you should not give deny
permissions to those groups if you also do not want to affect
administrators. You can use the support tool whoami /groups to see all the
groups your account is a member of in the current logon session and see an
example below of output on my computer. Instead of deny permission just
remove those permissions that you do not want the groups to have. Lack of a
permission is an implicit deny permission. --- Steve


D:\Documents and Settings\Steve>whoami /groups

[Group 1] = "STEVE-XP\None"
[Group 2] = "Everyone"
[Group 3] = "BUILTIN\Administrators"
[Group 4] = "BUILTIN\Users"
[Group 5] = "NT AUTHORITY\INTERACTIVE"
[Group 6] = "NT AUTHORITY\Authenticated Users"
[Group 7] = "LOCAL"
 
I

ian

Ah I see, thanks for whoami I didn't know about that tool. I think
I've found a way around it, by putting all the limited users into my
own "LUsers" group, and setting the Deny permissions on that rather
than the normal "Users" group. Interesting enough though, all the
pictures for the accounts on the welcome screen have reverted to the
chess image, even though when logged on they show up right.
Yes administrators can be members of the users group and certainly will be
members of authenticated users and everyone so you should not give deny
permissions to those groups if you also do not want to affect
administrators. You can use the support tool whoami /groups to see all the
groups your account is a member of in the current logon session and see an
example below of output on my computer. Instead of deny permission just
remove those permissions that you do not want the groups to have. Lack of a
permission is an implicit deny permission. --- Steve


D:\Documents and Settings\Steve>whoami /groups

[Group 1] = "STEVE-XP\None"
[Group 2] = "Everyone"
[Group 3] = "BUILTIN\Administrators"
[Group 4] = "BUILTIN\Users"
[Group 5] = "NT AUTHORITY\INTERACTIVE"
[Group 6] = "NT AUTHORITY\Authenticated Users"
[Group 7] = "LOCAL"

I am using windows xp pro with sp2 and trying to alter my file
permissions in the "All users" folder so that the limited users on my
computer can't delete the files, just read them. This works, but
suddenly I can't delete them either.

The way it's set up is:

Administrators - Full control
Users - Can read and execute, all others (including delete and delete
subfolders) denied.

This is set on the "All users" folder and copied to all child objects
within that folder.

Though this sets it up correctly for limited users (after allowing
everyone access to "All Users\Application
Data\Microsoft\OFFICE\DATA\opa11.dat" so that MO will work), the
administrator user seems to get the same restrictions as normal users
in that folder, even though I checked and my Admin user area is ONLY a
member of the "Administrators" group and not the "Users" group, yet it
wont let me delete the files. Does Windows xp consider Administrators
to be in the "Users" group even though you've taken them out of it? It
would seem that way but that doesn't seem right to me. Anyone know
about this and how to get around it?
Click to expand...
Click to expand...
 
S

Steven L Umbach

That will work also though I usually try to avoid using deny permissions if
I can accomplish what I want with allow permissions. I can't comment on why
they all show up as Chess image as I always use classic logon. --- Steve


Ah I see, thanks for whoami I didn't know about that tool. I think
I've found a way around it, by putting all the limited users into my
own "LUsers" group, and setting the Deny permissions on that rather
than the normal "Users" group. Interesting enough though, all the
pictures for the accounts on the welcome screen have reverted to the
chess image, even though when logged on they show up right.
Yes administrators can be members of the users group and certainly will
be
members of authenticated users and everyone so you should not give deny
permissions to those groups if you also do not want to affect
administrators. You can use the support tool whoami /groups to see all
the
groups your account is a member of in the current logon session and see
an
example below of output on my computer. Instead of deny permission just
remove those permissions that you do not want the groups to have. Lack of
a
permission is an implicit deny permission. --- Steve


D:\Documents and Settings\Steve>whoami /groups

[Group 1] = "STEVE-XP\None"
[Group 2] = "Everyone"
[Group 3] = "BUILTIN\Administrators"
[Group 4] = "BUILTIN\Users"
[Group 5] = "NT AUTHORITY\INTERACTIVE"
[Group 6] = "NT AUTHORITY\Authenticated Users"
[Group 7] = "LOCAL"

I am using windows xp pro with sp2 and trying to alter my file
permissions in the "All users" folder so that the limited users on my
computer can't delete the files, just read them. This works, but
suddenly I can't delete them either.

The way it's set up is:

Administrators - Full control
Users - Can read and execute, all others (including delete and delete
subfolders) denied.

This is set on the "All users" folder and copied to all child objects
within that folder.

Though this sets it up correctly for limited users (after allowing
everyone access to "All Users\Application
Data\Microsoft\OFFICE\DATA\opa11.dat" so that MO will work), the
administrator user seems to get the same restrictions as normal users
in that folder, even though I checked and my Admin user area is ONLY a
member of the "Administrators" group and not the "Users" group, yet it
wont let me delete the files. Does Windows xp consider Administrators
to be in the "Users" group even though you've taken them out of it? It
would seem that way but that doesn't seem right to me. Anyone know
about this and how to get around it?
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Effective permissions suddenly admin for limited users 2
Permissions in disarray after clean install 3
Local Power User on domain 1
USERS group and NTFS permissions 1
Don't Administrators have access to everything? 9
Folder Permissions 2
Changing users from administrators to users 6
Permissions of sharing to the local Users group 1

Top