Re: can we remove a user from "EVERYONE" group

From: SaltPeter (SaltPeter_at_Jupiter.sys)
Date: 02/16/04 

Date: Mon, 16 Feb 2004 02:05:30 -0500

"Kris Shaw" <8bkoay002@sneakemail.com> wrote in message
news:g7gv2093vbbsn7ni407g40dsl9av29o6l2@4ax.com...
> Hi,
>
> I suppose if you really have to deny those users you could:
>
> -Create a new security group and add those six users to it
> -Add an explicit deny to that security group on the folders they
> shouldn't have access to.
>
> I personally don't work like this -instead I start with nothing and
> add groups of users as necessary. Also, avoid the temptation to
> individually add the six users, create a group which is easier to
> maintain in the future.
>
> Kris.

I agree, i only mentioned the deny option to provide an alternative, and a
dangerous alternative at that. Its much easier / safer to manage specifying
who has the permission than who should be denied. As specified in my post,
that is not recommended.

Lets face it, how many times have i found myself before an administrator who
states that he denied local logons at a DC to the domain users group and
then stated that he couldn't logon locally as admin anymore. Duh, admin is a
member of the domain users group.

>
> On Sun, 15 Feb 2004 09:46:07 -0500, "SaltPeter"
> <SaltPeter@Jupiter.sys> said to us:
>
> >"sphilip" <anonymous@discussions.microsoft.com> wrote in message
> >news:10a1d01c3f3c2$d3606220$a401280a@phx.gbl...
> >> i need to create 6 users in our domain but they should not
> >> be in the everyone group, due to access rights. how do i
> >> remove them from the everyone group.
> >
> >You can't do that but neither should you have any need to do so. In fact,
> >you wouldn't want them NOT to be in that group. You would essentially be
> >stating to the security provider that all security requirements that are
> >enforced on everyone do not apply to the 6 users. Can you say the words:
> >hack me, please?
> >
> >If you share a resource and choose to prevent access to the 6 users, only
> >share the resource to whatever groups don't include the 6 users. Of
course,
> >you can deny the 6 users as well. But this is not recommended because
deny
> >overides all, including a deny in the case one of the 6 is the
> >administrator.
> >
>

Relevant Pages

  • Re: New ISA 2004 Rule Not Working
    ... properties for both the deny and allow rules. ... It ignores the deny for the user and hits on the SBS protected network ... Limited Access Users is a User set made up of the AD security group I ...
    (microsoft.public.windows.server.sbs)
  • Re: Prevent Users from accessing the Global Address List
    ... "Paul Landregan" wrote: ... >accessing the Global address list in Outlook and provide them with their own ... >Create a security group containing the users in question. ... >the security tab I added the group of users I wish to deny. ...
    (microsoft.public.exchange.setup)
  • Re: Prevent Users from accessing the Global Address List
    ... >>accessing the Global address list in Outlook and provide them with their ... >>Create a security group containing the users in question. ... >>the security tab I added the group of users I wish to deny. ... > Mark Arnold MCSA MCSE+M MVP, ...
    (microsoft.public.exchange.setup)
  • Re: User Rights Conflict On Folder/SubFolder Access
    ... I have decided to take the advice to create a new security group and put the ... using the Domain Users group settings - fortunately, ... I am attempting to deal with the situation via user rights, ... My problem is with a conflict between the Inhouse AdminTeam Group and the ...
    (microsoft.public.windows.server.sbs)
  • Re: Limit OWA users to one domain?
    ... permission to access a computer from the network, ... Keep in mind that EVERY USER, including Domain Admins ... if you want to deny all users from a certain domain from having this right, ... then you can deny the Domain Users group from that domain. ...
    (microsoft.public.exchange.admin)