Permissions

A

Ann

I'm trying to set up a workgroup windows xp professional
workstation security.

I have two questions.

1. in some ms articles, they mentioned 'everyone' account.
Why I cannot see it in my users and groups?

2. I set up a group called ftpusers, and a user called
for example John. I add this user to the ftpusers group.

Then I go to a directory and set the NTFS permission,add
ftpusers to the list, but when I go to effective
permission and select John, no permissions have been
checked. I suppose if I added the group ftpusers, the
member of the group should have same permissions. But it
seems not.

Any ideas about it?

Thanks for any suggestions
 
R

Roger Abell

replies inlined

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
Ann said:
I'm trying to set up a workgroup windows xp professional
workstation security.

I have two questions.

1. in some ms articles, they mentioned 'everyone' account.
Why I cannot see it in my users and groups?
Click to expand...

Everyone is a built-in that is not shown in the
lusermgr.mcs (and similar) lists of users and groups.
However, when one looks at the combined list of
what one can add to an access control list when
using a security editor dialog it will be listed there.
It does not make sense (apparently) to show it in the
lists used to manage users and groups, since it cannot
be deleted, it cannot have its membership altered, and
it cannot be added into a group as a member.
2. I set up a group called ftpusers, and a user called
for example John. I add this user to the ftpusers group.

Then I go to a directory and set the NTFS permission,add
ftpusers to the list, but when I go to effective
permission and select John, no permissions have been
checked. I suppose if I added the group ftpusers, the
member of the group should have same permissions. But it
seems not.
Click to expand...

Effective permissions does not walk the memberships of
groups and list out permissions of an account based on the
groups the account is within. It shows the net effect of all
explicit and/or implicit (inherited) grants to a group or an
account for the object, leaving it up to you to understand
the importance of grants made to groups. (This is a performance
optimization. Especially when in an Active Directory forest,
answering the question "what all groups is account X within"
is actually quite non-trivial and requires making queries at each
domain in the forest, and following this, following the rules for
nesting of groups finding all groups in which a group that has
the account as a member, again potentially at each domain, etc.
until closure is reached with no new groups being found. It is
only with such a list that it would then be possible to show the
effective permissions of an account in the manner you were
expecting.)
 
A

Ann

Thank you very much for detailed explanation
-----Original Message-----
replies inlined

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA


Everyone is a built-in that is not shown in the
lusermgr.mcs (and similar) lists of users and groups.
However, when one looks at the combined list of
what one can add to an access control list when
using a security editor dialog it will be listed there.
It does not make sense (apparently) to show it in the
lists used to manage users and groups, since it cannot
be deleted, it cannot have its membership altered, and
it cannot be added into a group as a member.


Effective permissions does not walk the memberships of
groups and list out permissions of an account based on the
groups the account is within. It shows the net effect of all
explicit and/or implicit (inherited) grants to a group or an
account for the object, leaving it up to you to understand
the importance of grants made to groups. (This is a performance
optimization. Especially when in an Active Directory forest,
answering the question "what all groups is account X within"
is actually quite non-trivial and requires making queries at each
domain in the forest, and following this, following the rules for
nesting of groups finding all groups in which a group that has
the account as a member, again potentially at each domain, etc.
until closure is reached with no new groups being found. It is
only with such a list that it would then be possible to show the
effective permissions of an account in the manner you were


.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

adding groups to groups 2
Default file/folder security permissions for a new user 3
Puzzling Effective Permissions 1
Setting file permissions (acl) with WORKGROUP server & XP Prof cli 1
Possible bug in XP security permissions propagation 1
Default share and NTFS permissions for Everyone group ? 1
Setting up mandatory profiles 1
Folder Permissions 2

Top