I am using windows xp pro with sp2 and trying to alter my file
permissions in the "All users" folder so that the limited users on my
computer can't delete the files, just read them. This works, but
suddenly I can't delete them either.

The way it's set up is:

Administrators - Full control
Users - Can read and execute, all others (including delete and delete
subfolders) denied.

This is set on the "All users" folder and copied to all child objects
within that folder.

Though this sets it up correctly for limited users (after allowing
everyone access to "All Users\Application
Data\Microsoft\OFFICE\DATA\opa11.dat" so that MO will work), the
administrator user seems to get the same restrictions as normal users
in that folder, even though I checked and my Admin user area is ONLY a
member of the "Administrators" group and not the "Users" group, yet it
wont let me delete the files. Does Windows xp consider Administrators
to be in the "Users" group even though you've taken them out of it? It
would seem that way but that doesn't seem right to me. Anyone know
about this and how to get around it?

Yes administrators can be members of the users group and certainly will be
members of authenticated users and everyone so you should not give deny
permissions to those groups if you also do not want to affect
administrators. You can use the support tool whoami /groups to see all the
groups your account is a member of in the current logon session and see an
example below of output on my computer. Instead of deny permission just
remove those permissions that you do not want the groups to have. Lack of a
permission is an implicit deny permission. --- Steve


D:\Documents and Settings\Steve>whoami /groups

[Group 1] = "STEVE-XP\None"
[Group 2] = "Everyone"
[Group 3] = "BUILTIN\Administrators"
[Group 4] = "BUILTIN\Users"
[Group 5] = "NT AUTHORITY\INTERACTIVE"
[Group 6] = "NT AUTHORITY\Authenticated Users"
[Group 7] = "LOCAL"

<ian@ianjackson.flyer.co.uk> wrote in message
news:1135611435.369460.291470@g44g2000cwa.googlegr oups.com...
>I am using windows xp pro with sp2 and trying to alter my file
> permissions in the "All users" folder so that the limited users on my
> computer can't delete the files, just read them. This works, but
> suddenly I can't delete them either.
>
> The way it's set up is:
>
> Administrators - Full control
> Users - Can read and execute, all others (including delete and delete
> subfolders) denied.
>
> This is set on the "All users" folder and copied to all child objects
> within that folder.
>
> Though this sets it up correctly for limited users (after allowing
> everyone access to "All Users\Application
> Data\Microsoft\OFFICE\DATA\opa11.dat" so that MO will work), the
> administrator user seems to get the same restrictions as normal users
> in that folder, even though I checked and my Admin user area is ONLY a
> member of the "Administrators" group and not the "Users" group, yet it
> wont let me delete the files. Does Windows xp consider Administrators
> to be in the "Users" group even though you've taken them out of it? It
> would seem that way but that doesn't seem right to me. Anyone know
> about this and how to get around it?
>

Ah I see, thanks for whoami I didn't know about that tool. I think
I've found a way around it, by putting all the limited users into my
own "LUsers" group, and setting the Deny permissions on that rather
than the normal "Users" group. Interesting enough though, all the
pictures for the accounts on the welcome screen have reverted to the
chess image, even though when logged on they show up right.

Steven L Umbach wrote:
> Yes administrators can be members of the users group and certainly will be
> members of authenticated users and everyone so you should not give deny
> permissions to those groups if you also do not want to affect
> administrators. You can use the support tool whoami /groups to see all the
> groups your account is a member of in the current logon session and see an
> example below of output on my computer. Instead of deny permission just
> remove those permissions that you do not want the groups to have. Lack of a
> permission is an implicit deny permission. --- Steve
>
>
> D:\Documents and Settings\Steve>whoami /groups
>
> [Group 1] = "STEVE-XP\None"
> [Group 2] = "Everyone"
> [Group 3] = "BUILTIN\Administrators"
> [Group 4] = "BUILTIN\Users"
> [Group 5] = "NT AUTHORITY\INTERACTIVE"
> [Group 6] = "NT AUTHORITY\Authenticated Users"
> [Group 7] = "LOCAL"
>
> <ian@ianjackson.flyer.co.uk> wrote in message
> news:1135611435.369460.291470@g44g2000cwa.googlegr oups.com...
> >I am using windows xp pro with sp2 and trying to alter my file
> > permissions in the "All users" folder so that the limited users on my
> > computer can't delete the files, just read them. This works, but
> > suddenly I can't delete them either.
> >
> > The way it's set up is:
> >
> > Administrators - Full control
> > Users - Can read and execute, all others (including delete and delete
> > subfolders) denied.
> >
> > This is set on the "All users" folder and copied to all child objects
> > within that folder.
> >
> > Though this sets it up correctly for limited users (after allowing
> > everyone access to "All Users\Application
> > Data\Microsoft\OFFICE\DATA\opa11.dat" so that MO will work), the
> > administrator user seems to get the same restrictions as normal users
> > in that folder, even though I checked and my Admin user area is ONLY a
> > member of the "Administrators" group and not the "Users" group, yet it
> > wont let me delete the files. Does Windows xp consider Administrators
> > to be in the "Users" group even though you've taken them out of it? It
> > would seem that way but that doesn't seem right to me. Anyone know
> > about this and how to get around it?
> >

That will work also though I usually try to avoid using deny permissions if
I can accomplish what I want with allow permissions. I can't comment on why
they all show up as Chess image as I always use classic logon. --- Steve


<ian@ianjackson.flyer.co.uk> wrote in message
news:1135630480.667819.253950@o13g2000cwo.googlegr oups.com...
> Ah I see, thanks for whoami I didn't know about that tool. I think
> I've found a way around it, by putting all the limited users into my
> own "LUsers" group, and setting the Deny permissions on that rather
> than the normal "Users" group. Interesting enough though, all the
> pictures for the accounts on the welcome screen have reverted to the
> chess image, even though when logged on they show up right.
>
> Steven L Umbach wrote:
>> Yes administrators can be members of the users group and certainly will
>> be
>> members of authenticated users and everyone so you should not give deny
>> permissions to those groups if you also do not want to affect
>> administrators. You can use the support tool whoami /groups to see all
>> the
>> groups your account is a member of in the current logon session and see
>> an
>> example below of output on my computer. Instead of deny permission just
>> remove those permissions that you do not want the groups to have. Lack of
>> a
>> permission is an implicit deny permission. --- Steve
>>
>>
>> D:\Documents and Settings\Steve>whoami /groups
>>
>> [Group 1] = "STEVE-XP\None"
>> [Group 2] = "Everyone"
>> [Group 3] = "BUILTIN\Administrators"
>> [Group 4] = "BUILTIN\Users"
>> [Group 5] = "NT AUTHORITY\INTERACTIVE"
>> [Group 6] = "NT AUTHORITY\Authenticated Users"
>> [Group 7] = "LOCAL"
>>
>> <ian@ianjackson.flyer.co.uk> wrote in message
>> news:1135611435.369460.291470@g44g2000cwa.googlegr oups.com...
>> >I am using windows xp pro with sp2 and trying to alter my file
>> > permissions in the "All users" folder so that the limited users on my
>> > computer can't delete the files, just read them. This works, but
>> > suddenly I can't delete them either.
>> >
>> > The way it's set up is:
>> >
>> > Administrators - Full control
>> > Users - Can read and execute, all others (including delete and delete
>> > subfolders) denied.
>> >
>> > This is set on the "All users" folder and copied to all child objects
>> > within that folder.
>> >
>> > Though this sets it up correctly for limited users (after allowing
>> > everyone access to "All Users\Application
>> > Data\Microsoft\OFFICE\DATA\opa11.dat" so that MO will work), the
>> > administrator user seems to get the same restrictions as normal users
>> > in that folder, even though I checked and my Admin user area is ONLY a
>> > member of the "Administrators" group and not the "Users" group, yet it
>> > wont let me delete the files. Does Windows xp consider Administrators
>> > to be in the "Users" group even though you've taken them out of it? It
>> > would seem that way but that doesn't seem right to me. Anyone know
>> > about this and how to get around it?
>> >
>