Skip to content

NTFS Permissions

Featured Replies

Hello all,

I'm having trouble understanding NTFS permissions and I wondered whether someone with a better understanding of NTFS permissions (Alex??) could help me out...

I have a Windows 2003 Standard SP2 server which is a member server of a domain. On the server I have created a new local user and removed him from the "users" group. I assumed that this would mean that he would only have access to files where "everyone" or "logged on users" etc had an entry on the ACL.

This appears not to be the case though - he still has access to a folder with the following permissions:

Administrators - Full Control

System - Full Control

Creator Owner- Full Control

Users - Read & Execute

The user in question is not the owner of the folder. In the "Effective Permissions" tab, the user is shown as having read & execute permission unless the "Users" entry on the ACL is removed. This access is confirmed by testing. The user is not a member of "Users" (member of no groups, actually), so

1) why is this happening?

2) is there any way to change Windows' behaviour to what I'd expect?

you could just put the user in as a specific deny for that folder?

IIRC dont users get the "authenticated users" right by default when they logon/are authenticated, and in turn, authenticated users are members of the standard "users" group.

  • Author

Thanks Col, I could do that but ...

1) I want to understand this behaviour - it's not what I expect

2) The idea is to create a limited user with only access to specific folders "deny by default" to use as the anonymous browsing identity for a particular web site where a user will be able to upload their own scripts.

  • Author
IIRC dont users get the "authenticated users" right by default when they logon/are authenticated, and in turn, authenticated users are members of the standard "users" group.

Thanks for that edit, yes that's the answer! Sorry for being thick.:o

Next Q, how to change this behaviour to do what I want? :confused:

As above. i do think its something to do with authenticated users... membership of that group is controlled by the O/S...

As above. i do think its something to do with authenticated users... membership of that group is controlled by the O/S...

damn too slow..

errrm depending how locked down the system is, what about the guest usergroup?

  • Author

I think those posts crossed :)

I wonder what would happen if I took S-1-5-11 (Authenticated users) out of the users group?

  • Author
what about the guest usergroup?

But the user would still be authenticated and therefore still a member of users (just guests now as well).

As above. i do think its something to do with authenticated users... membership of that group is controlled by the O/S...

its difficult to control because of authenticated users.. you cant deny this group because it would deny everyone... you could remove authenticated users from the folder but it may cause problems in the future with access from other users if the ACL is not setup right (from a domain perspective)

  • Author

What I mean is, why not remove "Authenticated Users" from the "Users" group?I don't have very many accounts on that machine so it would be easy enough to add accounts specifically to "users" if they aren't already members. Which special accounts would I have to remember to add too?

What I mean is, why not remove "Authenticated Users" from the "Users" group?I don't have very many accounts on that machine so it would be easy enough to add accounts specifically to "users" if they aren't already members. Which special accounts would I have to remember to add too?

You could do that, but you mention the box is member of a domain... domain users are given access to resources mainly via authenticated users group..

  • Author
You could do that, but you mention the box is member of a domain... domain users are given access to resources mainly via authenticated users group..

Are you sure? Domain users is a seperate member of the "users" group and would remain so.

Are you sure? Domain users is a seperate member of the "users" group and would remain so.

doh.. ive been messing on the wrong box that isnt on domain :rolleyes:

yes, removing authenticated users theoretically should work.. BUT.. i belive that authenticated users can have something to do with services and system processes running in windows.. im just googlin it now...

Hello all,

I'm having trouble understanding NTFS permissions and I wondered whether someone with a better understanding of NTFS permissions (Alex??) could help me out...

I have a Windows 2003 Standard SP2 server which is a member server of a domain. On the server I have created a new local user and removed him from the "users" group. I assumed that this would mean that he would only have access to files where "everyone" or "logged on users" etc had an entry on the ACL.

This appears not to be the case though - he still has access to a folder with the following permissions:

Administrators - Full Control

System - Full Control

Creator Owner- Full Control

Users - Read & Execute

The user in question is not the owner of the folder. In the "Effective Permissions" tab, the user is shown as having read & execute permission unless the "Users" entry on the ACL is removed. This access is confirmed by testing. The user is not a member of "Users" (member of no groups, actually), so

1) why is this happening?

2) is there any way to change Windows' behaviour to what I'd expect?

In the words of Edmund Blackadder "cough ..... inheritance"

Try removing permissions inheritence for the folder in question and when you uncheck inheritence select the option to remove exisiting permissions. Apply the permissions you need manually and then test again with this user.

Sometimes you get the odd feature (spelt bug but shhhhhhhhh or the mac pooftah's will be in here) with permissions inheritence with the creator owner group.

This could be the case with this folder. On the obvious front, he is not a member of any local groups that have in turn been added to Users or local admins as he / she?

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.