|
Home > Archive > 70-210 > December 2002 > what a simple user can do?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
what a simple user can do?
|
|
| papuga 2002-12-02, 11:58 am |
| Is it true that simple users (i.e. non power users) can add local groups to W2K pro workstations? I found this information in many places.
I tried to launch "Computer Management -> Local Users and Groups" and add a local group but there was always an error "Access denied".
Papu Ga | |
|
| Whatever references are stating that a simple user can create local groups on a local workstation are incorrect.
A simple user can not create a local group on a workstation.
The user must be a member of the Administrators group or Account Operators group on the Local computer to create a Local group on that Local computer.
You need to pop that simple user account into either of those two groups prior to attempting to create a local group on that workstation. | |
| papuga 2002-12-03, 2:02 am |
| Well, the source of that information is microsoft, (and several other sites)
"www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/ windows_security_default_setti
ngs.asp"
It is written there:
"Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows 2000 or Windows XP Professional programs that have been installed or deployed by administrators"
I would also add that Power Users can create local groups on local computers (I've checked this on my workstation), so you do not have to be Administrator or account operator (Account Operators group exist only on domain controllers, I remember, maybe not?)
Papu Ga | |
|
| You ask a question about Windows 2000 and then reference a Microsoft XP article. If that article was correct, you would not have gotten access is denied when attempting to create a local group logged in a a plain user. I referenced the official Microsoft Official Curriculum 2152 course materials.
Your right about Account Operators. I don't know why I was thinking server/domain environment. Oh well, at least I was right about a plain user, which for the kind of day I was having yesterday, isn't half bad. 
You are also correct about the Power Users group having the ability to create a local group on a workstation. | |
| Tech Ranger 2002-12-03, 7:47 am |
| A local user with the default rights cannot create user or group objects. A Power User can. As your quote states, he can only manage those objects he creates. He would be the owner of those objects. | |
| papuga 2002-12-03, 8:46 am |
| OK, I found that revelation about users creating local groups in W2K Server help (probably it is in W2K workstation help too). If you want to check it:
1. launch W2K help
2. search -> "trojan horse"
3. choose "Default Security Settings"
4. check Users
(probably there is a better way to find it?)
Again, they say:
"Users can create local groups, but can manage only the local groups that they created"
They say "create local groups" and not only "manage them".
And I am using MCSE W2KPro Readiness Review book, question 70-210.06.03.2, explanation, says the same. And I saw this information on LabMice and some other Internet sites. Funny.
Papu Ga | |
|
| That's wierd.
I tested this out on my plain jane Windows 2000 Professional workstation, the same way you did last evening and found the a normal test user, who is only in the Users group can not create a local group. It goes through the motions of allowing you to name the group and adding users, but when you click on OK or Apply to actually create the group, you get an access denied message.
I then logged on as the local admin, popped the test user into the Power Users group, and then logged back in as the test user and successfully created a local group.
Strange that these articles state a plain Users can create local groups, when you and I both have not been able to do this. I honestly would not think that this is a default right that a plain User should have. | |
| Tech Ranger 2002-12-03, 10:49 pm |
| What the hec is this trojan horse crap you are posting? Are you trying to be a wise guy?? | |
| papuga 2002-12-04, 1:42 am |
| Yes, it is logical that plain users do not have right to add groups. What for? My only concern was that maybe there is some OTHER way users can do it, some trick or I don't know what, or at least what they had in mind when they wrote it in W2K help. But maybe this is just a mistake.
Tech Range: look at the moon, not the finger.
Papu Ga | |
| adam salam 2002-12-04, 6:43 am |
| quote:
Originally posted by papuga
OK, I found that revelation about users creating local groups in W2K Server help (probably it is in W2K workstation help too). If you want to check it:
1. launch W2K help
2. search -> "trojan horse"
3. choose "Default Security Settings"
4. check Users
(probably there is a better way to find it?)
Again, they say:
"Users can create local groups, but can manage only the local groups that they created"
They say "create local groups" and not only "manage them".
And I am using MCSE W2KPro Readiness Review book, question 70-210.06.03.2, explanation, says the same. And I saw this information on LabMice and some other Internet sites. Funny.
Papu Ga
you mean that:
Users
The Users group provides the most secure environment in which to run programs. On a volume formatted with NTFS, the default security settings on a newly installed system (but not on an upgraded system) are designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system-wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows 2000 programs that have been installed or deployed by administrators. Users have full control over all of their own data files (%userprofile%) and their own portion of the registry (HKEY_CURRENT_USER).
Users cannot install programs that can be run by other Users (this prevents Trojan horse programs). They also cannot access other Users' private data or desktop settings.
To secure a Windows 2000 system, an administrator should:
Make sure that end users are members of the Users group only.
Deploy programs, such as certified Windows 2000 programs, that members of the Users group can run successfully.
Users will not be able to run most programs written for previous versions of Windows because previous versions of Windows either did not support file system and registry security (Windows 95 and Windows 98) or shipped with lax default security settings (Windows NT). If Users have problems running legacy applications on newly installed NTFS systems, then do one of the following:
Install new versions of the applications that are certified for Windows 2000.
Move end users from the Users group into the Power Users group.
Decrease the default security permissions for the Users group. This can be accomplished by using the compatible security template.
-------------
from win2k help. | |
| papuga 2002-12-04, 8:06 am |
| Yes, this is it. And on many internet sites they say the same, so it is very strange.
I found also such information about Windows NT servers (a little off topic but...)
JSI FAQ 0551:
"An ordinary users can create local groups on your PDC. This functionality allows then to assign permissions to more easily manage access to their shared resources. The Sales Manager could create a local Sales group and place users and global groups in it. They can then assign permissions to the local Sales group. To do this, they would:
net localgroup groupname ["UserName1" "UserName2" "GlobalGroup1" ...] /add /comment:"text" /domain
"
It doesn't work on W2K this way, but if it was really working on WinNT, then maybe there is some Group Policy that allowes users to create local groups, but I don't know where.
Papu Ga | |
| Tech Ranger 2002-12-04, 9:25 pm |
| Papuga, I hope you will accept my apology for the Trojan horse remark. I really thought you were fooling around. You are right about Users. This does work in Win2K. I looked it up in Help. A User can indeed create local groups and can manage those groups. We live and learn. | |
| papuga 2002-12-05, 2:27 am |
| Tech Range, it's OK, I appreciate your help very much. "Trojan horse" phrase is easy to search for, that's why I used it.
So we have two facts: first, Users can add local groups according to W2K Help and some other documentation, second, Users cannot add local groups in practice on W2K. I wonder, in case of such question on 70-210 exam, what would be the right answer.
Papu Ga | |
| Tech Ranger 2002-12-05, 7:18 am |
| The fact is that in Windows 2000 Users can create local groups. | |
| papuga 2002-12-05, 8:27 am |
| How?
When I am logged on as a simple user and I try to create a local group on W2KPro and save it I get the "Access denied" message. Is there something wrong I am doing?
Papu Ga | |
| adam salam 2002-12-05, 8:34 am |
| quote:
Originally posted by papuga
How?
When I am logged on as a simple user and I try to create a local group on W2KPro and save it I get the "Access denied" message. Is there something wrong I am doing?
Papu Ga
the same for me, MS mistake? or what? |
|
|
|
|