Realation between Guests and Users groups
in [Security]
|
Prev: list of certificates from cmd
Next: Security av 2009
From: Martin Plechsmid on 30 Jul 2010 09:23 Hello, I may have a trivial question. The Guests group should be much more restricted then the Users group, according to documentation. However, I tested this on my computer (WinXP SP3) with a user that is in the Guests group but not simultaneously in the Users group. The user seems to have the same privileges as if he were in the Users group. (I.e. I can see and modify files, execute any programs including internet browser etc.) In particular, on my hard disks I never have privileges specified explicitely for the Guests group. But the user obtains the rights that are specified for the Users group. As if the Guests group was a member of the Users group (but it is not). So, what is the relation between the Guests and Users groups? My system is WinXP Pro SP3 with default security settings (i.e. I have not modified the privileges on disk folders nor the hierarchy in user groups). Thank you, Martin.
From: John John - MVP on 30 Jul 2010 09:59 Martin Plechsmid wrote: > Hello, > > I may have a trivial question. > > The Guests group should be much more restricted then the Users group, > according to documentation. However, I tested this on my computer (WinXP > SP3) with a user that is in the Guests group but not simultaneously in the > Users group. The user seems to have the same privileges as if he were in the > Users group. (I.e. I can see and modify files, execute any programs > including internet browser etc.) > > In particular, on my hard disks I never have privileges specified > explicitely for the Guests group. But the user obtains the rights that are > specified for the Users group. As if the Guests group was a member of the > Users group (but it is not). > > So, what is the relation between the Guests and Users groups? > > My system is WinXP Pro SP3 with default security settings (i.e. I have not > modified the privileges on disk folders nor the hierarchy in user groups). When looking at your permissions keep in mind that "Everyone" includes "Guests". John
From: John Wunderlich on 30 Jul 2010 15:36 "Martin Plechsmid" <Send(a)No.Mail> wrote in news:#FAgjp#LLHA.1856(a)TK2MSFTNGP02.phx.gbl: > The Guests group should be much more restricted then the Users > group, according to documentation. What documentation says this? You aren't confusing the "Guests" group with the "Guest" user, are you? > In particular, on my hard disks I never have privileges specified > explicitely for the Guests group. But the user obtains the rights > that are specified for the Users group. As if the Guests group was > a member of the Users group (but it is not). > > So, what is the relation between the Guests and Users groups? In the computer management console (Start -> Run -> "compmgmt.msc") Under System Tools -> Local Users and Groups -> Groups The description of the "Guests" group reads: "Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted." HTH, John
From: Martin Plechsmid on 2 Aug 2010 04:22 No, I don't confuse Guest and Guests. And I'm aware that Everyone includes Guests. Look, for instance, at "C:\Windows" and choose Properties - Security - Advanced. There you'll see permissions for Administrators, System, Owner, Users and PowerUsers, all non-inherited. No privilege for Guests (nor Everyone), though users in Guests group see the folder and file content without any problem. That's what I'm talking about. So, where the privileges for Guests come from? Thank you, Martin. "John Wunderlich" <jwunderlich(a)lycos.com> p�e v diskusn�m p��sp�vku news:Xns9DC5803AF3101wunderpsdrscray(a)138.125.254.103... > "Martin Plechsmid" <Send(a)No.Mail> wrote in > news:#FAgjp#LLHA.1856(a)TK2MSFTNGP02.phx.gbl: > >> The Guests group should be much more restricted then the Users >> group, according to documentation. > > What documentation says this? > You aren't confusing the "Guests" group with the "Guest" user, are you? > >> In particular, on my hard disks I never have privileges specified >> explicitely for the Guests group. But the user obtains the rights >> that are specified for the Users group. As if the Guests group was >> a member of the Users group (but it is not). >> >> So, what is the relation between the Guests and Users groups? > > In the computer management console (Start -> Run -> "compmgmt.msc") > Under System Tools -> Local Users and Groups -> Groups > > The description of the "Guests" group reads: > "Guests have the same access as members of the Users group by default, > except for the Guest account which is further restricted." > > HTH, > John > > >
From: John Wunderlich on 3 Aug 2010 15:03
"Martin Plechsmid" <Send(a)No.Mail> wrote in news:OFqYOvhMLHA.2232(a)TK2MSFTNGP02.phx.gbl: > Look, for instance, at "C:\Windows" and choose Properties - > Security - Advanced. There you'll see permissions for > Administrators, System, Owner, Users and PowerUsers, all > non-inherited. No privilege for Guests (nor Everyone), though > users in Guests group see the folder and file content without any > problem. That's what I'm talking about. So, where the privileges > for Guests come from? > Martin, That makes your question much clearer. The best answer I have found comes from the article: "Managing Authorization and Access Control" <http://technet.microsoft.com/en-us/library/bb457115.aspx> It seems to indicate that with a couple of exceptions the "Groups" and "Users" groups are essentially one-in-the-same: <quote> Guests By default, members of the Guests group are denied access to the application and system event logs. Otherwise, members of the Guests group have the same access rights as members of the Users group. This allows occasional or one-time users to log on to a workstation�s built- in Guest account and be granted limited abilities. Members of the Guests group can also shut down the system. Note: The Guest account, which is a member of the Guests group by default, is not an authenticated user. When logged on interactively, the Guest account is a member of both the Guests group and the Users group. However, when logged on over the network, the Guest account is not a member of the Users group. </quote> Hope this helps, John |