Another NTFS permissions question

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

On my XP SP3 box. As a way of learning file permissions better i've been messing around with them a bit, and i've come to a situation which I don't understand.

I set permissions for my C drive so that only two groups have any kind of access at all - System and Administrators. These both have Full Control, and I set it so permissions propagated all the way down from C:\.

Then when I logged on as my regular user, who is in group "Administrators", my desktop was messed up. No panel, no network access etc). But surely as member of Admin group, which has Full Control, there should be no files anywhere in the system inaccessible, right?

As a test I added the group "Users" back in at root directory level, gave it read & execute, list contents, and read permissions, logged back in and everything appears to work fine again.

What am I missing here?

Thanks in advance

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

don't you need to log off and log back on again when you have assigned group permissions to make them active?

 

Yes, I did so. I rebooted.

 

Did you assign the "DENY" permission to the "Users" group?
and
Is the 'regular user' account in the "Users" group?

 

Well no, obviously, as the desktop worked again after I added "Users" group permissions. But thats irrelevant anyway isn't it? The confusing part is why it didn't work in the first place, before I had to add the "Users" group into the Access Control List.

As I understand it the "Users" group contains everyone in the Domain User and Local User groups, so yes. Also note that the "regular user" is an Administrator (as in, a member of group "Administrators").

It's clear that the additional permissions gained by adding "Users" group permissions fixed the problem. The question is why didn't it work before, when the administrative user should have already had full control over every file as a result of what I explained in my original post.

 

Are you running this in an actual live domain enviornment?

Perhaps post some screenshots of the security structure on the C: drive, and a breakdown of users and what groups their in.

 

This. It may be that you have missed something like the fact that the lowerst permission set is the one that main permission so thats why its not working right.

Post some shots of the NTFS permissions and the group permissions.

 

It's not in a domain, not even a workgroup. I tried to keep things as simple as possible to limit varables.

First pic shows effective permissions for user spoovy, who is a member of group "Administrators", 2nd shows group "Users". Both sets of permissions were cascaded down to all child objects from C:\.






See what I mean! How can the second set of permissions have added anything?? User spoovy already had full control of everything.

I'm guessing that there must be some conditions where child objects do not inherit their parent's permissions even when specifically set to do so.

 

Your admin has full control but the same users highest permission in the users group is read and execute therfore he can only read and execute if I am seeing everything correctly.

 

I think you'd better read up on permissions GBL. Generally ntfs permissions are cumulative, allowing the greatest access possible from the sets of permissions. This means that if the user group only had read access and the same user was in the admin group with full control then he should have full control as that is the highest permission allowed by combining all the permissions. The exception to this is of course the deny permission, which when you set this explicitly overrides everything.

 

ooops yep sorry but if he has the other permissions blank then doesn't that set it as deny?

 

Nope. Deny is not the same as not marking Allow. You have to explicitly choose Deny if you want to Deny (thereby overriding an Allow).

 

ahh ok, I get it now. Thanks

 

So, anyone know the answer?

 

Yep. Click Advanced Permissions and see what's there.

 

he did Mike, it's in the first screen dump and everything is ticked.

Maybe you'll just have to put this down to Windoze, not behaving logically

 

I mean that he should look at the Permissions tab, which he did not show. That'll indicate whether permissions are being inherited or not. If the box isn't checked, it's not passing parent permissions to child objects.

 

Check post number 8.. scroll over to the right and you will see he did post a screen dump of the advanced security settings and as i said, they are all ticked.

 

You're missing my point... I'm not talking about the Effective Permissions tab... I'm talking about the Permissions tab. He wants to know why some folders inherit and some don't. So he needs to look to see what's checked on the Permissions tab.

EDIT:

 

Gotcha now Mike, sorry it was early and i was half asleep