Click here to get back home

Unexpected security restriction for a user in both a user and administrative group.
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Unexpected security restriction for a user in both a user and administrative group. ScottS 04-24-2008
Posted by ScottS on April 24, 2008, 10:05 pm
Please log in for more thread options
 Simple question: is there a document that describes how Windows folder
and file security works for a user that is in both a low-security
group and a high-security group?

I've had unexpected results when I've accidentally grouped myself into
both the local "Users" and local "Administrators" groups. The
limitations of the "Users" group are sometimes enforced even though
I'm in the "Administrators" group.

--ScottS

Posted by Roger Abell [MVP] on April 24, 2008, 10:53 pm
Please log in for more thread options
> Simple question: is there a document that describes how Windows folder
> and file security works for a user that is in both a low-security
> group and a high-security group?
>
> I've had unexpected results when I've accidentally grouped myself into
> both the local "Users" and local "Administrators" groups. The
> limitations of the "Users" group are sometimes enforced even though
> I'm in the "Administrators" group.
>
> --ScottS

The answer might reside in why you said limitations of Users.
The rules are fairly simple. A principle gets the sum of all
that is granted to it in any way, direct or via groups and their
nesting. However, if there are any denies these reduce the
granted unless the grant is closer in the inheritance chain
than the deny. Ex. Admins have Full but Users are denied
write and these are set at the same place, then a member of
both has everything except write. If there is a grant at a lower
directory the reestablishes the write for the account then the
earlier inherited deny is nullified.

Roger



Posted by ScottS on April 25, 2008, 1:44 pm
Please log in for more thread options
Here's an example of a result I didn't expect: on the security
properties for a folder, inheritance is turned off and "Users" are
granted all permissions except full control (i.e. except "delete
subfolders", "change permissions", and "take ownership"). They are not
explicity denied any permission. Then by an oversight "Administrators"
are left off of the "permission entries" (i.e. the list of groups with
permissions granted or denied) for the folder. The result is that a
user in both the "Users" and "Administrators" groups is not allowed to
even list the contents of the folder.

When the security properties for the same folder are reversed
("Administrators" are granted full control and "Users" are not listed
in the "permission entries") the same user (a member of both the
"Users" and "Administrators" groups) has full control of the folder.

I would have expected this user to have the permissions of whichever
group was granted permissions to the folder.

I doubt I'll be able to understand all of this through examples. Is
there a document that lays out all of the rules?

--ScottS

Posted by Roger Abell [MVP] on April 25, 2008, 11:53 pm
Please log in for more thread options
> Here's an example of a result I didn't expect: on the security
> properties for a folder, inheritance is turned off and "Users" are
> granted all permissions except full control (i.e. except "delete
> subfolders", "change permissions", and "take ownership"). They are not
> explicity denied any permission. Then by an oversight "Administrators"
> are left off of the "permission entries" (i.e. the list of groups with
> permissions granted or denied) for the folder. The result is that a
> user in both the "Users" and "Administrators" groups is not allowed to
> even list the contents of the folder.
>
> When the security properties for the same folder are reversed
> ("Administrators" are granted full control and "Users" are not listed
> in the "permission entries") the same user (a member of both the
> "Users" and "Administrators" groups) has full control of the folder.
>
> I would have expected this user to have the permissions of whichever
> group was granted permissions to the folder.
>
> I doubt I'll be able to understand all of this through examples. Is
> there a document that lays out all of the rules?
>

I cannot point you to a specific doc (it has been a long time since
I have looked for that in a doc) but I am fairly certain you could
find a statement in the resource kit.
There are no NTFS rules other than what I stated in first reply.
If there are no denies involved then an account has the sum of all
grants made to it for an item.
From what you have said there must be something else involved
as if the account tested is member of Users and Administrators
and an attempt is made to access a folder on which all is granted
to Users except the three items you mentioned, then they should
be able to list the folder content (this is being done via direct
login, right? It's not via a mapped share - as if a share is involved
then the share level permissions act as an upper bound on what
may be done : in this case if the share permits Administrators
but not Users then what you report would make sense as the
correct behavior).

Roger



Similar ThreadsPosted
Start and Stop Services Remotely Under Non-Administrative User April 26, 2006, 5:01 pm
Create User and Auto Assign to Domain Security Group January 31, 2007, 12:27 pm
Restricted User Group November 5, 2005, 3:37 pm
Inserting Raw SID Into User Group February 13, 2006, 11:31 pm
Can't remove user from administrator group November 11, 2005, 2:47 pm
add user to local administrators group May 24, 2006, 4:00 am
?? Can I "clone" a Local User Group ?? January 20, 2008, 11:54 pm
can't login using RDP even in Remote Desktop User group July 6, 2005, 8:54 am
How could I find invisible user in admin group? August 12, 2005, 8:34 am
removing user from domain users group doesn't help June 23, 2006, 4:15 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap