Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Need help understanding users and permissions to secure new system


16 Feb 2011   #11

Windows 7 Home Premium 64-bit
 
 

>Hi! FluffyBunny, welcome to 7F

Anak, many thanks for your reply! Now that I have some time to work on
this again, I hope to finally get these issues resolved.

>I am not an expert, by any means, but this should help give you full access.

  • Start Windows7 in safe mode (Turn on/re-boot, and tap F8 till windows menu come up).
  • Select safe mode.
  • Once started open windows explorer right click C:/ drive, properties. Then select Security tab.

>In Group or user names, select each one (at a time) then Edit. You have to have the SYSTEM group listed.

  • Click each box under Allow so that there is a check mark in each box.
  • Go to advanced, Then the Owner tab, change from Administrators (your user name\Administrators) (what ever it's called) to your login name by using edit.
  • Then shut down and re-start in normal mode.

>This should give you full control over your machine, and calm you down to where you can think straight again.

Okay, I did the above steps. But when I first tried to change ownership,
I got error dialogs again. Strangely, after the error dialogs went away, the change
was apparently still applied. I don't know what to make of that, but what I
ended up doing for each group was to change its owner from "Trusted Installer"
to that of my "admin" account.

>This is where I am not sure how this will turn out because I only have one drive.
PANIC TIME AGAIN!

>Now in order to have permission to access the E:\ drive or whatever drive you would like to access; you would go to the respective Drives properties >Security tab.

>Your users should be listed, then edit each one as you did for the C:\ drive. If they are not, then we will have to create them.

>You can always go back to any of your Drive's properties >Security tab >Edit Group or user names, and remove/un-check any allow boxes to restrict permissions.

I also tried doing some changes on the E: drive, and I was able to change the
owner of E: for each group from "SYSTEM" to my "admin" account. I note
that for both sets of changes, I had logged into the "admin" account,
which is of course an account with administrator permissions. I don't
know whether this was really necessary, but it looks like I have proper
control of my system again, so that is progress.

>Since you have Home Premium this tutorial may only work with method 2 or 3. Drive Access - Restrict or Unrestrict in Vista, and Windows 7- Vista Forums

>There are these two also:
http://www.sevenforums.com/tutorials...-accounts.html
User Accounts - Add or Remove from Groups

>I did not want to throw too much at you, but we may have to get into sharing theses Drives.

Yes, my head is spinning almost as fast as my hard drive from all the
reading I've been doing about Windows' permission system. :-) I'm
still unclear about a lot of things, such as the concept of a restricted
drive. And I'm not sure just what permissions I should really set.

Just to be clear on what I'm trying to do, I want to make sure that
the folders on drives C: and E: have their permissions set such that
only the account owner (and those with administrator privileges) can
do anything with those files. I can live with other users being able to
see that files exist, but I don't want them able to see the _contents_ of
the files or be able to modify them.

I'm not clear on what happens if I deny a privilege to the Users or
Authenticated users group. Does that mean that the privilege is
denied to every member of the group EXCEPT the owner of the
account (which is what I would hope)? Or does it even deny
access to my own account? Am I correct in assuming that
members of the Administrator and SYSTEM groups should
always have all permissions (except for the special permissions
that aren't normally checked)? These are issues that the
documentation doesn't make very clear, so I will be grateful
for any insights that you or others can provide.

My System SpecsSystem Spec
.

16 Feb 2011   #12

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Quote   Quote: Originally Posted by FluffyBunny View Post
Anak, many thanks for your reply! Now that I have some time to work on
this again, I hope to finally get these issues resolved.

Okay, I did the above steps. But when I first tried to change ownership,
I got error dialogs again. Strangely, after the error dialogs went away, the change
was apparently still applied. I don't know what to make of that, but what I
ended up doing for each group was to change its owner from "Trusted Installer"
to that of my "admin" account.
Your welcome, The change you made is okay.
Can you give me a hint as to what the errors where about? or recreate them to take a snip with the snipping tool, and then post them here?
Quote   Quote: Originally Posted by FluffyBunny View Post
I also tried doing some changes on the E: drive, and I was able to change the
owner of E: for each group from "SYSTEM" to my "admin" account. I note
that for both sets of changes, I had logged into the "admin" account,
which is of course an account with administrator permissions. I don't
know whether this was really necessary, but it looks like I have proper
control of my system again, so that is progress.
Good! my apologies, I do not think I made that step clear enough.

Any time you are working with sharing or permissions you need to be in an Administrative account.


Quote   Quote: Originally Posted by FluffyBunny View Post
Yes, my head is spinning almost as fast as my hard drive from all the
reading I've been doing about Windows' permission system. :-) I'm
still unclear about a lot of things, such as the concept of a restricted
drive. And I'm not sure just what permissions I should really set.
It depends on who will be using it, and what they need to have in order to preform the task they need to accomplish.

Quote   Quote: Originally Posted by FluffyBunny View Post
Just to be clear on what I'm trying to do, I want to make sure that
the folders on drives C: and E: have their permissions set such that
only the account owner (and those with administrator privileges) can
do anything with those files. I can live with other users being able to
see that files exist, but I don't want them able to see the _contents_ of
the files or be able to modify them.
Then you will need to go back in and modify the permissions you have already set.
Quote   Quote: Originally Posted by Anak View Post
You can always go back to any of your Drive's properties >Security tab >Edit Group or user names, and remove/un-check any allow boxes to restrict permissions.
Quote   Quote: Originally Posted by FluffyBunny View Post
I'm not clear on what happens if I deny a privilege to the Users or Authenticated users group. Does that mean that the privilege is denied to every member of the group EXCEPT the owner of the account (which is what I would hope)? Or does it even deny access to my own account?

Am I correct in assuming that members of the Administrator and SYSTEM groups should always have all permissions (except for the special permissions that aren't normally checked)?

These are issues that the documentation doesn't make very clear, so I will be grateful for any insights that you or others can provide.
Logically I would think that anyone that has been assigned to a particular user or group would be locked out.

To me, the safest way for you would be to have the one account, with full Administrator rights, but then you would also need a strong password on it.

Are you still reading "Windows 7 Inside Out"? I shall have to read up on it just so I can understand the points you are having trouble understanding.

I am not sure, I may have missed it, but is this a family, business or school computer?
It would help to keep things organized if you made a list of:
  • Who uses this/these machines.
  • What do they need to do when they are on.
  • And list what permissions they do have with dates and times of change.
I would have to look it up but you might be able to set up a time limit. Let us say 8pm to 10pm for homework.
My System SpecsSystem Spec
16 Feb 2011   #13

Windows 7 Home Premium 64-bit
 
 

Quote: Originally Posted by FluffyBunny
Just to be clear on what I'm trying to do, I want to make sure that
the folders on drives C: and E: have their permissions set such that
only the account owner (and those with administrator privileges) can
do anything with those files. I can live with other users being able to
see that files exist, but I don't want them able to see the _contents_ of
the files or be able to modify them.



>Then you will need to go back in and modify the permissions you have already set.

Okay, I can do that. But I'm still not clear on WHICH permissions I need
to set [see below].

Quote: Originally Posted by FluffyBunny
I'm not clear on what happens if I deny a privilege to the Users or Authenticated users group. Does that mean that the privilege is denied to every member of the group EXCEPT the owner of the account (which is what I would hope)? Or does it even deny access to my own account?

Am I correct in assuming that members of the Administrator and SYSTEM groups should always have all permissions (except for the special permissions that aren't normally checked)?

These are issues that the documentation doesn't make very clear, so I will be grateful for any insights that you or others can provide.

==> My apologies for the poor formatting of my responses below and all
==> the extra garbage tacked on at the end. I'm having some real problems
==> with the cut-and-paste facilities here.
> Logically I would think that anyone that has been assigned to a particular user or group would be locked out.

If this is true, this is the root of my problem. How can I lock out other people without locking out myself?? Locking out everyone including myself would be completely useless, and if that is all Windows will let me do, then you're effectively saying that is IMPOSSIBLE to have secure file permissions in Windows. I hope I'm just ignorant of the right method to use.

In UNIX, you can set file permissions for three sets of people: You the user, members of groups that you belong to, and others (i.e., everybody else). If I want to stop others from reading my files, I just type 'chmod o-r filename' to remove read permission from others. This is what I'm trying to do in Windows, and there doesn't seem to be any obvious way to do it.

>To me, the safest way for you would be to have the one account, with full Administrator rights, but then you would also need a strong password on it.

Yes, I have created a password-protected "admin" account. This was not the first account I created, since Windows couldn't be bothered to mention that my first account was an administrative one. So I effectively have two account with administrative privileges at the moment. I plan to take away administrative privileges from the non-admin account after I've done all my configuration.

>Are you still reading "Windows 7 Inside Out"? I shall have to read up on it just so I can understand the points you are having trouble understanding.

Yes, I bought a copy of that book the other day on Kari's recommendation, and I've read most of chapter 16, "Managing User Accounts, Passwords, and Logons." But these issues don't seem to be fully discussed there, either.

>I am not sure, I may have missed it, but is this a family, business or school computer?
It would help to keep things organized if you made a list of:
  • Who uses this/these machines.
  • What do they need to do when they are on.
  • And list what permissions they do have with dates and times of change.
I would have to look it up but you might be able to set up a time limit. Let us say 8pm to 10pm for homework.

I don't need any time limits, but here is my intended use for the system:

I am moving from a desktop Windows XP system to a Windows 7 laptop. The machine is only for me, but since it will connect to public WiFi networks, (and probably corporate networks at some point), it needs to be a lot more secure than my desktop machine was.

My first step of this was to re-partition the drive to put user data on drive E: while leaving the OS and applications on C:. I don't want anyone but the account owner and the administrator to see other users' files.

I will have (at least) three accounts:

1. An admin account

2. My primary account (which currently has administrator privileges, but those privileges will be removed later)

3. A "Friend" account. This is intended to be like the built-in Guest account, except that it will also be password-protected. Users of this account should not be able to do things like installing software.

I would also like to have one shared folder that the Guest account can access, so that other people can easily give me files, and I can give them files. (I want my primary account to able to grab files out of that folder, or put files into that folder.)

I will do most activity (e.g., e-mail, surfing the Web, downloading software) from my primary account. I'll install software from the admin account (and I'll hope the I have the option to install it for all users, rather than having to install it in each separate account). If I collaborate with others on a software project, I want that shared folder to let us easily swap files. (Though I'll be using a Git repository for all the 'official' files in the project.)

I hope this sounds like a reasonable setup that is similar to the way that many other people have their machines configured. And I hope I can achieve this configuration without having to become a hard-core, fully certified system administrator! :-)

==> END OF RESPONSE
==> Sorry about all the other garbage below.






























Posting Rules You may post new threads
You may post replies
You may post attachments
You may edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Rules


All times are GMT -6. The time now is 10:51 AM.

-- 3.8.7 -- SF Default ---- SF Default (CDN) ---- SF Black ------ SF Black wide -- SF Default - Wide -- Seven Blue C ---- Seven Blue CDN -- SF Blue ---- SF Blue Wide -- SF Pastel ---- SF Pastel Wide -- Pitch Black -- SF Aero ---- SF Aero Wide Windows 8 Forums - FAQ - Contact Us - Forum Rules - Legal - Privacy - Log Out FluffyBunny - Top


Windows 7 Forums is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows 7" and related materials are trademarks of Microsoft Corp.
Designer Media Ltd


My System SpecsSystem Spec
.


18 Feb 2011   #14

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

I would like to apologize for taking so long to reply, I became involved with other personal duties.

Also, this will be an extended post in order to try and cover all of your concerns. Please read each section carefully. From here on out all my responses will be in Dark Blue.

Quote   Quote: Originally Posted by FluffyBunny View Post
Quote: Originally Posted by FluffyBunny
Just to be clear on what I'm trying to do, I want to make sure that
the folders on drives C: and E: have their permissions set such that
only the account owner (and those with administrator privileges) can
do anything with those files. I can live with other users being able to
see that files exist, but I don't want them able to see the _contents_ of
the files or be able to modify them.



Quote:
Anak: Then you will need to go back in and modify the permissions you have already set.
Okay, I can do that. But I'm still not clear on WHICH permissions I need
to set [see below].
Okay lets see if we can make it more clear.

Quote   Quote: Originally Posted by FluffyBunny View Post
Quote: Originally Posted by FluffyBunny
I'm not clear on what happens if I deny a privilege to the Users or Authenticated users group. Does that mean that the privilege is denied to every member of the group EXCEPT the owner of the account (which is what I would hope)?
I think? You are confusing terms here. Owner, and Administrator are the same thing.
You. Are the owner Administrator of all accounts, and have full control to all accounts including SYSTEM.

If you deny a privilege to any Users or Authenticated users group (AUG), any one that has access to that account has to abide by the permissions you have set for those accounts.


User(s) or AUG(s) are owners only in the aspect that they have (own) a password.




The confusion starts with lumping these two statements together with your quote above.

Quote   Quote: Originally Posted by FluffyBunny View Post
Or does it even deny access to my own account?

No it does not deny access to you the owner Administrator.
Even if you enter those accounts (sign-in) while you are still signed-in as an Administrator you should still have full control. But, that is an awful redundant way to do that when you already have full access.


Quote   Quote: Originally Posted by FluffyBunny View Post
Am I correct in assuming that members of the Administrator and SYSTEM groups should always have all permissions (except for the special permissions that aren't normally checked)?
Yes you are correct, but to clarify.

There is only one member to the Administrator and SYSTEM groups and that would be you or anyone that you give your password to (I hope not!).


Quote   Quote: Originally Posted by FluffyBunny View Post
These are issues that the documentation doesn't make very clear, so I will be grateful for any insights that you or others can provide.

==> My apologies for the poor formatting of my responses below and all
==> the extra garbage tacked on at the end. I'm having some real problems
==> with the cut-and-paste facilities here.
Quote:
Anak: Logically I would think that anyone that has been assigned to a particular user or group would be locked out.
If this is true, this is the root of my problem. How can I lock out other people without locking out myself??
When you start using your machine at the beginning of the day or session would you not start the session with using your password to enter your account, just as you would in your UNIX example below?

Quote   Quote: Originally Posted by FluffyBunny View Post
Locking out everyone including myself would be completely useless, and if that is all Windows will let me do, then you're effectively saying that is IMPOSSIBLE to have secure file permissions in Windows. I hope I'm just ignorant of the right method to use.
No it is not impossible.
Quote   Quote: Originally Posted by FluffyBunny View Post
In UNIX, you can set file permissions for three sets of people: You the user, members of groups that you belong to, and others (i.e., everybody else). If I want to stop others from reading my files, I just type 'chmod o-r filename' to remove read permission from others. This is what I'm trying to do in Windows, and there doesn't seem to be any obvious way to do it.
Not to sound harsh here, but as you have mastered the intricacies of UNIX and its CMD line, so to, you will have to become comfortable with Windows and its GUI.

You will find you can use parts of both to help guide you, but you will have to differentiate between the two when you are working with them.

Quote   Quote: Originally Posted by FluffyBunny View Post
Quote:
Anak:To me, the safest way for you would be to have the one account, with full Administrator rights, but then you would also need a strong password on it.
Yes, I have created a password-protected "admin" account. This was not the first account I created, since Windows couldn't be bothered to mention that my first account was an administrative one. So I effectively have two account with administrative privileges at the moment. I plan to take away administrative privileges from the non-admin account after I've done all my configuration.
You state you have two Admin accts., but refer to the one as non-admin Do you mean the one that you would like to make your primary?
Then your plan is sound.

Quote   Quote: Originally Posted by FluffyBunny View Post
Quote:
Anak: Are you still reading "Windows 7 Inside Out"? I shall have to read up on it just so I can understand the points you are having trouble understanding.

Yes, I bought a copy of that book the other day on Kari's recommendation, and I've read most of chapter 16, "Managing User Accounts, Passwords, and Logons." But these issues don't seem to be fully discussed there, either.
Quote:
Anak: I am not sure, I may have missed it, but is this a family, business or school computer?
It would help to keep things organized if you made a list of:
  • Who uses this/these machines.
  • What do they need to do when they are on.
  • And list what permissions they do have with dates and times of change.
I would have to look it up but you might be able to set up a time limit. Let us say 8pm to 10pm for homework.
Quote   Quote: Originally Posted by FluffyBunny View Post
I don't need any time limits, but here is my intended use for the system:

I am moving from a desktop Windows XP system to a Windows 7 laptop. The machine is only for me, but since it will connect to public WiFi networks, (and probably corporate networks at some point), it needs to be a lot more secure than my desktop machine was.
Something else you may want to consider.
Paid version:Absolute Software | LoJack for Laptops: Track, Locate, and Recover Stolen Computers
Free version:
Adeona: A Free, Open Source System for Helping Track and Recover Lost and Stolen Laptops
Plus different security settings, and software for your WiFi.

My responses will be in dark blue within the confines of your Quote.
Quote   Quote: Originally Posted by FluffyBunny View Post
My first step of this was to re-partition the drive to put user data on drive E: while leaving the OS and applications on C:. I don't want anyone but the account owner and the administrator to see other users' files.
I am not sure if windows will automatically break down the Admin, and User accounts for each partition. You will have to let me know how that turns out. If it does, it will make it simpler.

I will have (at least) three accounts:

1. An admin account

This will (Hopefully) have full control over C:\ and E:\

2. My primary account (which currently has administrator privileges, but those privileges will be removed later)
All you will need to do is check
Modify the others like Read, and Write will take check themselves.

3. A "Friend" account. This is intended to be like the built-in Guest account, except that it will also be password-protected. Users of this account should not be able to do things like installing software.
Then you only need to check Read, and Write.

I would also like to have one shared folder that the Guest account can access, so that other people can easily give me files, and I can give them files.
Then your "Guest" will need a password,
with Read, and Write permissions. Maybe Read and Execute also. Your "Modified Account" should already be able to do this.

(I want my primary account to able to grab files out of that folder, or put files into that folder.)I will do most activity (e.g., e-mail, surfing the Web, downloading software) from my primary account.
As stated above; "All you will need to do is check Modify the others like Read, and Write will take check themselves".

I'll install software from the admin account (and I'll hope the I have the option to install it for all users, rather than having to install it in each separate account).

You should.

If I collaborate with others on a software project, I want that shared folder to let us easily swap files. (Though I'll be using a Git repository for all the 'official' files in the project.)

Also need a clarification here. There are several schools of thought here, You really should have an Admin account, and then your own personal-primary account


Have you used Git in UNIX? what are the permissions there?

I hope this sounds like a reasonable setup that is similar to the way that many other people have their machines configured. And I hope I can achieve this configuration without having to become a hard-core, fully certified system administrator! :-)

Well, hopefully not too hard-core


I still feel there is a way to go here to make sure you are comfortable, especially since I was having a hard time understanding your differences between the Owner, Admin, and primary accounts.
But, It is still nothing we can not get straightened out!


==> END OF RESPONSE
==> Sorry about all the other garbage below.
Cleaned up >

End of Line >
My System SpecsSystem Spec
18 Feb 2011   #15

Windows 7 Home Premium 64-bit
 
 

Anak,

Thank you kindly for responding. I have to admit I am still very confused
here. Some of my confusion may be from differences in Windows vs.
UNIX nomenclature. (And I think I finally figured out how to quote the
text I'm replying to here.)

Quote:
I think? You are confusing terms here. Owner, and Administrator are the same thing.
You. Are the owner Administrator of all accounts, and have full control to all accounts including SYSTEM.

If you deny a privilege to any Users or Authenticated users group (AUG), any one that has access to that account has to abide by the permissions you have set for those accounts.


Okay, perhaps I was using the term "owner" in the wrong way.
But you just said above that SYSTEM is an account. Is that really true?
(Apparently so, cf. pg. 790 of "Windows 7 Inside Out.) This is one of the
things that is truly driving me nuts about Windows - Microsoft's repeated
habit of hiding key information from the user. First, it was the built-in
Administrator and Guest accounts, and now SYSTEM. Geez.

Quote:
There is only one member to the Administrator and SYSTEM groups and that would be you or anyone that you give your password to (I hope not!).
Okay, that is useful to know. Though it begs the question of
how can I tell which accounts are members of which groups?

Quote:
Not to sound harsh here, but as you have mastered the intricacies of UNIX and its CMD line, so to, you will have to become comfortable with Windows and its GUI.
Yes, that is true - which is why I'm reading two books and spending many
hours surfing the Web - yet none of what I've read so far has made it clear
how to accomplish what I want to do. Perhaps I can make my goal clearer
with an example:

Suppose that I create two new standard (non-administrative) accounts on
my system, with usernames Jack and Jill. A new set of folders for will be
created on drive E: for Jack the first time I log into Jack's account, and
similarly for Jill. (The folders appear automatically on drive E: because I
made a registry change to ensure that folders for all new accounts are
created on drive E:.)

If I or user "Jack" logs into the Jack account, I expect that user Jack
should be able to access and modify the contents of all his own folders.
BUT Jack should NOT be able to read or modify the contents of Jill's
folders (or the folders belonging to the admin account for that matter.)
Similarly, when Jill logs into her account, she should be free to muck
about with her own files and folders, but she should not be able to see
any of Jack's files. I THINK this is the way that accounts are supposed
to be set up by default when you create a new account on a normal,
unpartitioned drive (i.e., no manual repartitioning). But I'm not sure
that happens automatically with my setup on the E: drive, and for
the existing account folders that I manually moved to the E: drive,
the copied folders were visible to EVERYBODY, which is not what I
wanted. So I'm trying to figure out how to get back to a "normal"
set of permissions for those folders.

I think part of my confusion arises from the fact that the Security
tab for folders shows four groups by default: Authenticated Users,
SYSTEM, Administrators, and Users. It doesn't show ANY of the
accounts that I created. I finally learned how to make my own
account names appear on this page:

Take Ownership and Change Permissions of Files and Folders | Windows 7 Tutorials

Please correct me if I'm wrong, but this is what I THINK I now need
to do to create the desired permissions for, say, user Jack's folders:

1. Log in to Jack's account and add user Jack to the set of users
displayed in the Security tab for Jack's top-level folder. (Or
do I need to log in as the admin user?)

2. Select user Jack, press Edit, and allow Full Control.

3. When I get back to the Security tab, select "Authenticated Users,"
press Edit, and deny all permissions.

4. When I get back to the Security tab, select "Users," press
Edit, and deny all permissions.

5. Leave the SYSTEM and Administrators group set with all their
normal permissions.

6. Repeat steps 1-5 for each account, substituting Jill for Jack, etc.

I HOPE that this will give me what I want.

Quote:
If I collaborate with others on a software project, I want that shared folder to let us easily swap files. (Though I'll be using a Git repository for all the 'official' files in the project.)
Also need a clarification here. There are several schools of thought here, You really should have an Admin account, and then your own personal-primary account
Uh, I DO have an Admin account, and a personal-primary account. I expect
to be doing my development work in the personal-primary account, with
occasional forays into the admin account if it is necessary to start things
like Apache or MySQL. (And no, I don't intend to run them as services;
I want to start and stop them manually.)

Quote:
Have you used Git in UNIX? what are the permissions there?

I have really only used Git under Windows XP, and haven't experienced
any permission problems. I don't think there should be any problems
with creating a Git repository in my personal-primary account.

Quote:
Something else you may want to consider.
Paid version:Absolute Software | LoJack for Laptops: Track, Locate, and Recover Stolen Computers
Free version:
Adeona: A Free, Open Source System for Helping Track and Recover Lost and Stolen Laptops
Plus different security settings, and software for your WiFi.
Thanks for the links; that was something I hadn't considered.
Though unfortunately it doesn't look like Adeona is an active
project any more.
My System SpecsSystem Spec
18 Feb 2011   #16

Windows 7 Home Premium 64-bit
 
 

I hope you can help me here, because I'm getting pretty damned
frustrated. I tried out some changes on the admin account (after I
logged in as user admin). I dug through the several levels of dialogs to
find the list of all users, and added admin to the list of Group or user names.
For user name admin, I changed the permissions from

Allow to Allow
----- ----
Read & execute Full control
List folder contents
Read

When I clicked OK, I got the error dialog

An error occurred while applying security information to
E:\Users\admin\AppData
Access denied.

I clicked Continue twice, and the dialogs went away, and the permissions
I wanted were seemingly applied. I then selected the 'Authenticated Users'
group and chose to _Deny_ all access. I did the same for the Users group.
Later, I logged out and logged back in again. Upon login, I got the error dialog

Location not available
E:\Users\admin\Desktop is not accessible.
Access is denied.

I can still use my machine, but something is clearly wrong. Do I perhaps
need to restore access to the Users group? If so, why? And why does
Windows consistently barf with errors every time I try to change file
permissions???

I hope that someone can give a clear explanation of what is going on.
From my perspective, the Windows permission system is VERY flaky and
untrustworthy. It shouldn't take a week of work just to get basic folder
permissions set up. Please, somebody, dispel my ignorance!
My System SpecsSystem Spec
18 Feb 2011   #17

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

!!!An answer to your next post is at the bottom of this post.!!!


Quote   Quote: Originally Posted by FluffyBunny View Post
Anak,
Thank you kindly for responding. I have to admit I am still very confused
here. Some of my confusion may be from differences in Windows vs.
UNIX nomenclature. (And I think I finally figured out how to quote the
text I'm replying to here.)
Quote:
I think? You are confusing terms here. Owner, and Administrator are the same thing.
You. Are the owner Administrator of all accounts, and have full control to all accounts including SYSTEM.


If you deny a privilege to any Users or Authenticated users group (AUG), any one that has access to that account has to abide by the permissions you have set for those accounts.
Okay, perhaps I was using the term "owner" in the wrong way.
But you just said above that SYSTEM is an account. Is that really true?
(Apparently so, cf. pg. 790 of "Windows 7 Inside Out.) This is one of the
things that is truly driving me nuts about Windows - Microsoft's repeated
habit of hiding key information from the user. First, it was the built-in
Administrator and Guest accounts, and now SYSTEM. Geez.
Your welcome. Yes, in these longer conversations figuring out where all the quotes start and stop, and then trying to remember what you wanted to say can become confusing.

Yes. System is an account.
From two sources. this first one is a little old, but still gives a good description:
Quote:
The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.

NOTE: Granting either account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file but it is not recommended.
How the System account is used in Windows

And:
Quote:
There is an account in Microsoft Windows that is more powerful than the Administrator account in Windows Operating Systems. That account is called System account it is similar to the root OR super user in the Linux/Unix world .
https://alieneyes.wordpress.com/2006...nt-in-windows/

Microsoft seems to feel that as their OS becomes more complicated they need to apply safeguards so the casual user won't sabot the OS. But, it does make it harder for the rest of us.

If I would of known before we bought our system, I would of upgraded to at least win7pro at least there you have a group policy editor.anything lower and you have to fuss with permissions like we are.
See:
Local Group Policy Editor - Open
Quote   Quote: Originally Posted by FluffyBunny View Post
Quote:
There is only one member to the Administrator and SYSTEM groups and that would be you or anyone that you give your password to (I hope not!).
Okay, that is useful to know. Though it begs the question of how can I tell which accounts are members of which groups?
Note: From here on my answers are in Dark Blue.
Do you notice how windows will add the name you give to the level of the account in (parentheses?) i.e. Users (FluffyBunny\User)
As you add names to the Users account that list of names should grow. i.e. Users (FluffyBunny\User;Jack\user;Jill\User;Water Pail\user;Humpty Dumpty\user etc.


For later reference:
Well-known security identifiers in Windows operating systems

Quote   Quote: Originally Posted by FluffyBunny View Post
Yes, that is true - which is why I'm reading two books and spending many
hours surfing the Web - yet none of what I've read so far has made it clear
how to accomplish what I want to do. Perhaps I can make my goal clearer
with an example:

!!Please excuse me I deleted your example for brevity.!!

I think part of my confusion arises from the fact that the Security
tab for folders shows four groups by default: Authenticated Users,
SYSTEM, Administrators, and Users. It doesn't show ANY of the
accounts that I created. I finally learned how to make my own
account names appear on this page:
Take Ownership and Change Permissions of Files and Folders | Windows 7 Tutorials


My answers are in Dark Blue.
Quote   Quote: Originally Posted by FluffyBunny View Post
Please correct me if I'm wrong, but this is what I THINK I now need to do to create the desired permissions for, say, user Jack's folders:
1. Log in to Jack's account and add user Jack to the set of users
displayed in the Security tab for Jack's top-level folder. (Or
do I need to log in as the admin user?)This seems like an un-needed step.
All you need to know is. That there is a user account that exists.
Log into your admin account, then you can do whatever you want to Jack or Jills account.

Jack or Jills account should have already been created
as "top level or full control for that folder" Just go to the Security tab in properties of the Folder, and continue with step #3.

2. Select user Jack, press Edit, and allow Full Control. Redundant.

3. When I get back to the Security tab, select "Authenticated Users," press Edit, and deny all permissions. Correct.

4. When I get back to the Security tab, select "Users," press
Edit, and deny all permissions. Correct.

5. Leave the SYSTEM and Administrators group set with all their
normal permissions. Correct.

6. Repeat steps 1-5 for each account, substituting Jill for Jack, etc. Correct.

I HOPE that this will give me what I want.
It should.


Quote   Quote: Originally Posted by FluffyBunny View Post
Uh, I DO have an Admin account, and a personal-primary account. I expect
to be doing my development work in the personal-primary account, with
occasional forays into the admin account if it is necessary to start things
like Apache or MySQL. (And no, I don't intend to run them as services;
I want to start and stop them manually.)
You are very wise grasshopper!


Quote:
Something else you may want to consider.
Paid version:Absolute Software | LoJack for Laptops: Track, Locate, and Recover Stolen Computers
Free version:
Adeona: A Free, Open Source System for Helping Track and Recover Lost and Stolen Laptops
Plus different security settings, and software for your WiFi.
Thanks for the links; that was something I hadn't considered.
Though unfortunately it doesn't look like Adeona is an active
project any more.







To answer your newer post:

Did you make sure to go to The E drive to set your permissions?
Then Properties
Select Security tab
Select Owner
Select your Admin account
apply
OK?


I probably won't be able to respond until 2am est or later, I will be out checking if there is any aurora reaction to the CME the Sun expelled Monday evening.
My System SpecsSystem Spec
18 Feb 2011   #18

Windows 7 Home Premium 64-bit
 
 

Thanks for responding, and thanks for the extra info on the
SECURITY account; that's about what I expected.

Quote:
To answer your newer post:

Did you make sure to go to The E drive to set your permissions?
Then Properties
Select Security tab
Select Owner
Select your Admin account
apply
OK?


Yes, I was indeed on the E: drive; I at least managed to get
that much right. :-)

Thank you for the feedback on the steps I suggested to set up
my permissions. But they still don't work properly. I tried logging
in as the admin user and then tried to set the permissions on the
E:\Users\Friend folder for my Friend account. I wasn't allowed to
see the owner of the folder, so I tried taking ownership. Then I
looked at the permissions for the User group. I think they were set
to Allow Read & execute, List folder contents, and Read, which was
not what I tried to set them to earlier. I then clicked on the Edit
button and denied all permissions for Users. After I clicked Apply, I once
again got into an infinite loop of error messages (the same as I originally
reported way above), and couldn't get out of the Security tab. I had to
log back out and log in again to get rid of it. (I was dubious about trying
to kill the window in the Task Manager.) On the other hand, once I
logged back in, the Users group at least LOOKS like it has the correct
(lack of) permissions now. But when I logged in, I still got the error I
reported earlier,

E:\User\admin\Desktop is not accessible.
Access is denied.

(I can still use the account, but maybe that explains why the desktop has
a pure black background instead of the blue desktop I see at the login prompt.)

Quote:
I probably won't be able to respond until 2am est or later, I will be out checking if there is any aurora reaction to the CME the Sun expelled Monday evening.
Cool! I wish I could see some aurorae. Unfortunately, (for this purpose)
I live in California, so we rarely get them at our latitude. Plus, it's been
raining all day. :-( I hope you get to see some spectacular sights!
My System SpecsSystem Spec
19 Feb 2011   #19

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Quote   Quote: Originally Posted by FluffyBunny View Post
(I can still use the account, but maybe that explains why the desktop has
a pure black background instead of the blue desktop I see at the login prompt.)

Cool! I wish I could see some aurorae. Unfortunately, (for this purpose) I live in California, so we rarely get them at our latitude. Plus, it's been raining all day. :-( I hope you get to see some spectacular sights!
It disturbs me that your desktop has changed.
Can you find a restore point, and go back to before the black desktop started to show?
System Restore


In my haste to go aurora hunting I gave you the short version for checking the ownership of your E:\ drive. Hopefully this more complete version will help.

I do not know if you have been creating restore points during all of this, but it would be prudent to make one before you start here.
There is a "How To" link located in the blue note: box at the top of the tutorial link I posted above.


Okay!
Locate the file, folder or drive on which you want to take ownership in windows explorer like E: in your case.

  • Right click on the file, folder or drive and select “Properties” from Context Menu.
  • Click on Security tab.
  • Click on“Advance”.
  • Now click on Owner tab in Advance Security Settings for User windows.
  • Click on Edit Button and select user from given Change Owner to list if user or group is not in given list then, click on other users or groups.
  • Enter name of user/group and click OK. You can even click on administrator here, if you are logged in as an administrator.
  • Now select User/group and click apply and OK. (Check “Replace owner on sub containers and objects” if you have files and folder within selected folder/drive).
  • Click OK when Windows Security Prompt is displayed.
  • Now Owner name must have changed.
  • Now click OK to exit from Properties windows.


Once you have taken the ownership of the Drive. Grant
file or folder permissions to everyone even your user account.

  • Go to E: and then click right click on folder and choose properties.
  • Then go to security tab and click Edit then click Add >Advanced.
  • If you click on advanced, now click on Find Now and choose everyone and click OK.
  • Then again click OK and now click on Allow >Full control >or however much control you want Jack and Jill to have.
  • Click OK.

Unfortunately our aurora trip was somewhat of a bust. The K indices were forecast to go from 4 up to 5 with 6 or 7 a sure bet, but by the time we arrived at our seeing location we checked the laptop, and it had already dropped to 2.....Oh well! Still got to see some meteors.

All was not lost though, My one friend brought along his 10" reflector and I helped him setup and take some astro-photographs with his CCD equipment.
Hope they come out all right, the seeing was rated as bad because of the high winds we were experiencing here causes a rippling effect in the atmosphere.

We have a warning in effect until 9pm locally tonight. they were steady 20mph gust to 35 this morning, now they are steady25 gust 40.
My System SpecsSystem Spec
19 Feb 2011   #20

Windows 7 Home Premium 64-bit
 
 

Anak,

Sorry to hear that your aurora adventure didn't turn out
that well. Though I'm glad you at least got to see a few
meteors.

Quote:
It disturbs me that your desktop has changed.
Can you find a restore point, and go back to before the black desktop started to show?
System Restore
Not that easily. I was getting the black desktop much earlier in
the process, and I don't know how far back it goes. It might go
all the way back to re-partitioning my drive and/or creating new
accounts. I did create a new restore point before trying your next
set of steps, for what it's worth.

As far as taking ownership is concerned, I went through your set
of steps, but my admin account is already the owner of drive E:.
So nothing changed there. As for your steps to change permissions...

Quote:
Once you have taken the ownership of the Drive. Grant file or folder permissions to everyone even your user account.

  • Go to E: and then click right click on folder and choose properties.
  • Then go to security tab and click Edit then click Add >Advanced.
  • If you click on advanced, now click on Find Now and choose everyone and click OK.
  • Then again click OK and now click on Allow >Full control >or however much control you want Jack and Jill to have.
  • Click OK.
...they didn't work any better than the last several attempts. When
you say to choose "everyone," I presume you mean the _group_
named Everyone. I tried that, and yes I even Allowed Full control,
even though that is the exact opposite of what I'm trying to do.
(To reiterate, I'm trying to DENY all permissions to everybody EXCEPT
administrators and the "owner" (more properly, login name) of the account.
When I clicked OK to allow Full control, I got the usual error dialog once
again:

An error occurred while applying security information to:
E:\Users\admin
Access is denied.

After clicking Continue a couple of times, I got the dialog

Unable to save permission changes on admin.
Access is denied.

In trying to get out of this infinite loop of error dialogs, I
once again got a warning about the permissions not having
propagated properly, and that if I didn't fix them immediately,
they would be left in an inconsistent state. Of course, that
dialog provides no means whatsoever to fix them. Indeed,
the only way I can get out is by logging off.

I'm pretty sure these types of errors have occurred EVERY
SINGLE TIME I have tried to change permissions. It is very
easily reproducible, and as I've complained before, it really
bugs me that this kind of mess is even POSSIBLE to have
happen. What kind of operating system traps its users in
an infinite loop of error dialogs??

I note also that after logging out and logging back in, the
login process is very slow, presumably because Windows
is failing to load the desktop. Every time I log in, I get the
dialog

E:\Users\admin\Desktop is not accessible.
Access is denied.

This dialog also sometimes reappears when I bring up other
windows.

Something is clearly very wrong, and I'd really like to get some
insight into how to fix it before I start installing all my applications.
My System SpecsSystem Spec
Reply

 Need help understanding users and permissions to secure new system




Thread Tools



Similar help and support threads for2: Need help understanding users and permissions to secure new system
Thread Forum
Facebook pushes all users onto more secure connection by default Security News
Understanding how website's infect your system. System Security
Permissions And Users General Discussion
I am terrible at understanding permissions? General Discussion
System Administrator..Permissions..Users name can't change...HELP General Discussion
Security Permissions for Users System Security
Any way to apply different permissions to users Network & Sharing

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 08:48 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33