S
SRW
Hi folks:
I'm running WinXP Pro in a workgroup environment (no domain server)
with simple file sharing turned off (i.e. using the "old" NT4 and
Win2K file security). All my drives are NTFS. I usually just run my
stuff under an account with administrator privliges, but I run
programs that access the Internet (e.g. IE, Outlook, etc.) under a
userid that's only part of the Users group. Someone created a version
of "runas" that lets you put in the password on the command line
rather than being prompted for it, so it's not too hard to change file
associations and desktop icons to point to a ".cmd" file that runs IE,
Outlook, news reader, and their associated file types with a seperate
userid from the one you are logged on with.
I wanted to protect a couple of directories where I keep things like
passwords and financial information from the userid running under the
Users group just in case some kind of snoopware program got invoked
via IE or Outlook and went searching through my hard drives. By
default I had the Users group setup with generic read authority for
all the drives, and write authority for just it's own documents and
settings folder (this was by individual userid as setup by WinXP
versus the Users group as a whole), it's temp variable folder, the
place where the outlook data file was, and the folder I use to
download files from the Internet.
I went to the folder that had the financial stuff and put a "Deny"
entry on it for the Users group by checking the deny full control box,
which put checkmarks all the way down the column. After doing that I
clicked the advanced button and looked at the permissions and it
showed all the regular permissions inheritted from the top of the
drive tree and the "Deny" permission for group Users as not
inheritted, which all looked fine. However, after doing that I found
out that I could no longer access the directory from my account with
administrators privliges either. I verified that my administrators
account was not part of the Users group (the account I use is not the
built in administrator's account, but another one I created). I can't
figure out why my administrator level account gets locked out when I
disallow access by the Users group, unless the Users group is really a
built-in security principle group like Authenticated Users, SYSTEM,
Everyone, and that any accounts you create are automatically part of
the Users group even though it doesn't show up that way when you look
at which groups you belong to. Can anyone confirm or deny that this
is the case?
I ended up solving my problem by just removing the Users group from
the folder I wanted protected, but this required that I change to
folder to not inherit any security properties from higher in the drive
tree, and set each of the permissions on the folder manually. I'd
rather have it set where it inherits the security from above and the
only "extra" permission I have is one to explicitly deny the group
Users.
Thanks for your assistance.
Scott
I'm running WinXP Pro in a workgroup environment (no domain server)
with simple file sharing turned off (i.e. using the "old" NT4 and
Win2K file security). All my drives are NTFS. I usually just run my
stuff under an account with administrator privliges, but I run
programs that access the Internet (e.g. IE, Outlook, etc.) under a
userid that's only part of the Users group. Someone created a version
of "runas" that lets you put in the password on the command line
rather than being prompted for it, so it's not too hard to change file
associations and desktop icons to point to a ".cmd" file that runs IE,
Outlook, news reader, and their associated file types with a seperate
userid from the one you are logged on with.
I wanted to protect a couple of directories where I keep things like
passwords and financial information from the userid running under the
Users group just in case some kind of snoopware program got invoked
via IE or Outlook and went searching through my hard drives. By
default I had the Users group setup with generic read authority for
all the drives, and write authority for just it's own documents and
settings folder (this was by individual userid as setup by WinXP
versus the Users group as a whole), it's temp variable folder, the
place where the outlook data file was, and the folder I use to
download files from the Internet.
I went to the folder that had the financial stuff and put a "Deny"
entry on it for the Users group by checking the deny full control box,
which put checkmarks all the way down the column. After doing that I
clicked the advanced button and looked at the permissions and it
showed all the regular permissions inheritted from the top of the
drive tree and the "Deny" permission for group Users as not
inheritted, which all looked fine. However, after doing that I found
out that I could no longer access the directory from my account with
administrators privliges either. I verified that my administrators
account was not part of the Users group (the account I use is not the
built in administrator's account, but another one I created). I can't
figure out why my administrator level account gets locked out when I
disallow access by the Users group, unless the Users group is really a
built-in security principle group like Authenticated Users, SYSTEM,
Everyone, and that any accounts you create are automatically part of
the Users group even though it doesn't show up that way when you look
at which groups you belong to. Can anyone confirm or deny that this
is the case?
I ended up solving my problem by just removing the Users group from
the folder I wanted protected, but this required that I change to
folder to not inherit any security properties from higher in the drive
tree, and set each of the permissions on the folder manually. I'd
rather have it set where it inherits the security from above and the
only "extra" permission I have is one to explicitly deny the group
Users.
Thanks for your assistance.
Scott