questions about the Security tab for a folders properties

[yawnmoth]

I right click on a folder, select Properties from the resultant menu,
and click on the Security tab (I have Simple File Sharing disabled).
Here's what I see under Group or user names:

Administrators (COMPUTERNAME\Administrators)
CREATOR OWNER
Everyone
SYSTEM
Users (NETVISTA\Users)

What do these mean?

Administrators and Everyone are easy enough to figure out - they
affect the permissions of all Administrative users and all users,
respectivelly. But what about the others?

I assume CREATOR OWNER affects the permissions of whomever created the
folder. Does it do that user, specifically, or does it do all users
of your "class" - ie. all Administrators or all Limited Users?

Also, why not just show the name of the person who created the folder
or the group they're a part of? That might not be feasable, though,
if it's supposed to grant the same permissions to the owners of all
the various subfolders, which might not be the same as the owner of
the parent folder.

And what about SYSTEM? Why would SYSTEM need to access a folder? At
first, I thought that maybe it was for tasks scheduled via Windows
Scheduler, but that can't be it, since Windows Scheduler requires user
account information to run.

And what about Users? If I go to User Accounts in the Control Panel,
I can create two types of accounts - Computer administrator and
Limited account. As such, why not say "Limited accounts" instead of
"Users", assuming that they're even the same thing? Shouldn't the
names be referred to in a consistent manner?

I click on the Advanced button and, on the resultant window, click on
the Effective Permissions tab. I hit the Select... button and see a
field where I'm supposed to "Enter the object name to select". Isn't
there always going to be a finite number of possible objects? ie. if
you only have two accounts, aren't those two going to be the only
possible objects? As such, why require you manually type it in? Why
not show all the options that you can choose from?

 

[Jim]

Replies inline

I right click on a folder, select Properties from the resultant menu,
and click on the Security tab (I have Simple File Sharing disabled).
Here's what I see under Group or user names:

Administrators (COMPUTERNAME\Administrators)
CREATOR OWNER
Everyone
SYSTEM
Users (NETVISTA\Users)

What do these mean?

Administrators and Everyone are easy enough to figure out - they
affect the permissions of all Administrative users and all users,
respectivelly. But what about the others?

Members of the Administrators group use the Administrators group
permissions.
Every account on the system gets the permissions (at least) of the Everyone
group.

I assume CREATOR OWNER affects the permissions of whomever created the
folder. Does it do that user, specifically, or does it do all users
of your "class" - ie. all Administrators or all Limited Users?

No, it means the specific account which created the entity.

Also, why not just show the name of the person who created the folder
or the group they're a part of? That might not be feasable, though,
if it's supposed to grant the same permissions to the owners of all
the various subfolders, which might not be the same as the owner of
the parent folder. To much bookkeeping.

And what about SYSTEM? Why would SYSTEM need to access a folder? At
first, I thought that maybe it was for tasks scheduled via Windows
Scheduler, but that can't be it, since Windows Scheduler requires user
account information to run.

There is no account called SYSTEM. This name is used by Windows XP. And
Windows definitely needs to be able to access all folders and all files.

And what about Users? If I go to User Accounts in the Control Panel,
I can create two types of accounts - Computer administrator and
Limited account. As such, why not say "Limited accounts" instead of
"Users", assuming that they're even the same thing? Shouldn't the
names be referred to in a consistent manner?

Computer administrator belongs to the administrators group.
The limited user belongs to the users group. They aren't the same at all.

I click on the Advanced button and, on the resultant window, click on
the Effective Permissions tab. I hit the Select... button and see a
field where I'm supposed to "Enter the object name to select". Isn't
there always going to be a finite number of possible objects? ie. if
you only have two accounts, aren't those two going to be the only
possible objects? As such, why require you manually type it in? Why
not show all the options that you can choose from?

You do not understand that Windows is a multi user operating system. In
addition to those two accounts which you created, the installation of XP
creates accounts called NETWORK_SERVICE, LOCAL_SERVICE, and GUEST. There is
also an account which is supposed to be used for remote diagnostics (but
most people disable such an account). If you have installed the .NET
software, the installation will create a special account for this. The
NETWORK_SERVICE account is used by XP, after it is fully booted, to start
those programs involved in the network which do not need administrator
permisions. This is true also of the LOCAL_SERVICE account and the .NET
account. The GUEST account is intended to be used for making connections
using simple file sharing.

The reason for not showing all of the possible accounts is (perhaps)
reducing the amount of space that would be required to post all of the
information.

Jim

 

[yawnmoth]

There is no account called SYSTEM.  This name is used by Windows XP.  And
Windows definitely needs to be able to access all folders and all files.

Why, then, does Windows XP provide me with the option of denying
permissions to SYSTEM?

Computer administrator belongs to the administrators group.
The limited user belongs to the users group.  They aren't the same at all.

The "Limited account" is one of two /types/ of accounts you can
create. You can have multiple Limited accounts and I, in fact, do.
So if they're not the same, at all, then just what is the difference
between user types and user groups?