Click here to get back home

removing user from domain users group doesn't help
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
removing user from domain users group doesn't help OM 06-23-2006
Posted by OM on June 27, 2006, 12:47 pm
Please log in for more thread options
 Roger Abell [MVP] wrote:
>> Roger Abell [MVP] wrote:
>>> Did your test account log off and back in after the group membership
>>> changes but before your retesting ?
>>>
>> This is a newly created group. I have also created a new user account in
>> this group for testing purpose.
>>
> Fine. But does that mean that all tests were done with a fresh login
> after all group membership changes had completed and propagated
> to the authenticating domain controller ?
>
>

I checked the effective permission on the folders and it does show that
the user has read permission to it. It seems that the user is still
belonging to the domain user group.

Posted by Steven L Umbach on June 27, 2006, 1:28 pm
Please log in for more thread options
 I do NOT recommend that you try to remove users from the domain users group
as a strategy to manage access to shares or any other reason. Instead create
global groups that contains the users that you want to have access to each
share and then grant those global groups permissions to the shares and do
not include users/domain users/everyone/authenticated users in the access
control list for share permissions. -- Steve


> Hi,
>
> I have few shared folders on my w2k3 file server and most of them allow
> read access for the domain users group.
>
> I am trying to create a shared folder that only allows one group of users
> to access. This group of users should has no access to other shared
> folders. I created a new group and put all these users onto the group and
> removed the domain users group from the "member of" property of these
> users. So all these users are only member of the newly created group.
> However, they are still able to access the file on the shares that have
> read access for domain users.
>
> Can someone advice how I can change the ntfs/share permission so that I
> achieve my goal accordingly?
>
> Thanks
>
> OM



Posted by OM on June 27, 2006, 2:35 pm
Please log in for more thread options
Steven L Umbach wrote:
> I do NOT recommend that you try to remove users from the domain users group
> as a strategy to manage access to shares or any other reason. Instead create
> global groups that contains the users that you want to have access to each
> share and then grant those global groups permissions to the shares and do
> not include users/domain users/everyone/authenticated users in the access
> control list for share permissions. -- Steve
>
>
>> Hi,
>>
>> I have few shared folders on my w2k3 file server and most of them allow
>> read access for the domain users group.
>>
>> I am trying to create a shared folder that only allows one group of users
>> to access. This group of users should has no access to other shared
>> folders. I created a new group and put all these users onto the group and
>> removed the domain users group from the "member of" property of these
>> users. So all these users are only member of the newly created group.
>> However, they are still able to access the file on the shares that have
>> read access for domain users.
>>
>> Can someone advice how I can change the ntfs/share permission so that I
>> achieve my goal accordingly?
>>
>> Thanks
>>
>> OM
>
>

If the users still belong to the domain user group, they would be able
to access to other shares that have access permission assigned to domain
user group within the domain. I just want them to be able to access one
single folder only. Thanks

Posted by Steven L Umbach on June 27, 2006, 2:55 pm
Please log in for more thread options
Then consider either don't give domain users/users/everyone/authenticated
user permissions to any shares and instead give permissions to the global
groups you want to have access or give the global group deny permissions to
the shares you don't want them to access or deny access this computer from
the network user right for computers you don't want them to access shares
[other than domain controllers] on which can easily be managed via Group
Policy. Every time a user is created for the domain that user is
automatically added to the domain users group. --- Steve



> Steven L Umbach wrote:
>> I do NOT recommend that you try to remove users from the domain users
>> group as a strategy to manage access to shares or any other reason.
>> Instead create global groups that contains the users that you want to
>> have access to each share and then grant those global groups permissions
>> to the shares and do not include users/domain
>> users/everyone/authenticated users in the access control list for share
>> permissions. -- Steve
>>
>>
>>> Hi,
>>>
>>> I have few shared folders on my w2k3 file server and most of them allow
>>> read access for the domain users group.
>>>
>>> I am trying to create a shared folder that only allows one group of
>>> users to access. This group of users should has no access to other
>>> shared folders. I created a new group and put all these users onto the
>>> group and removed the domain users group from the "member of" property
>>> of these users. So all these users are only member of the newly created
>>> group. However, they are still able to access the file on the shares
>>> that have read access for domain users.
>>>
>>> Can someone advice how I can change the ntfs/share permission so that I
>>> achieve my goal accordingly?
>>>
>>> Thanks
>>>
>>> OM
>>
>>
>
> If the users still belong to the domain user group, they would be able to
> access to other shares that have access permission assigned to domain user
> group within the domain. I just want them to be able to access one single
> folder only. Thanks



Posted by OM on June 27, 2006, 4:14 pm
Please log in for more thread options
Steven L Umbach wrote:
> Then consider either don't give domain users/users/everyone/authenticated
> user permissions to any shares and instead give permissions to the global
> groups you want to have access or give the global group deny permissions to
> the shares you don't want them to access or deny access this computer from
> the network user right for computers you don't want them to access shares
> [other than domain controllers] on which can easily be managed via Group
> Policy. Every time a user is created for the domain that user is
> automatically added to the domain users group. --- Steve
>
>
>
>> Steven L Umbach wrote:
>>> I do NOT recommend that you try to remove users from the domain users
>>> group as a strategy to manage access to shares or any other reason.
>>> Instead create global groups that contains the users that you want to
>>> have access to each share and then grant those global groups permissions
>>> to the shares and do not include users/domain
>>> users/everyone/authenticated users in the access control list for share
>>> permissions. -- Steve
>>>
>>>
>>>> Hi,
>>>>
>>>> I have few shared folders on my w2k3 file server and most of them allow
>>>> read access for the domain users group.
>>>>
>>>> I am trying to create a shared folder that only allows one group of
>>>> users to access. This group of users should has no access to other
>>>> shared folders. I created a new group and put all these users onto the
>>>> group and removed the domain users group from the "member of" property
>>>> of these users. So all these users are only member of the newly created
>>>> group. However, they are still able to access the file on the shares
>>>> that have read access for domain users.
>>>>
>>>> Can someone advice how I can change the ntfs/share permission so that I
>>>> achieve my goal accordingly?
>>>>
>>>> Thanks
>>>>
>>>> OM
>>>
>> If the users still belong to the domain user group, they would be able to
>> access to other shares that have access permission assigned to domain user
>> group within the domain. I just want them to be able to access one single
>> folder only. Thanks
>
>

This newly created group is actually for user who logon from non-domain
machines. All they need is just read access to one particular folder. We
have many shares defined and it is difficult not to give domain user
group access as we have different permissions defined on various folders
within folders. Also, there will be too much management work if we use
deny permission on so many shares.


Similar ThreadsPosted
Adding another domain users to your local domain admin group December 28, 2005, 12:19 pm
Default Domain Users group March 24, 2008, 1:59 pm
Can I delete 'Athenticated Users' group form local 'Users' group January 29, 2008, 11:52 am
Error removing a Group Policy Object February 5, 2006, 10:07 pm
Adding a User from One Domain to a Group in Another Domain August 18, 2006, 12:12 am
Create User and Auto Assign to Domain Security Group January 31, 2007, 12:27 pm
Domain Controller Certificates and moving to a new server or removing them? April 23, 2007, 2:42 pm
Unexpected security restriction for a user in both a user and administrative group. April 24, 2008, 10:05 pm
Performance Monitor Users Group June 17, 2005, 8:09 am
Is NETWORK SERVICE Member of Users Group? March 12, 2007, 4:39 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap