This is the mail archive of the cygwin@sourceware.cygnus.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

RE: Stupid NT security question (related to Sergey's code)


Apologies to all for being off-topic to CYGWIN, but NT user management
seems to be an area of interest here. (-harold) 


Mike,

You are correct about the user rights pulldown, but NT4 is more
confusing even than that. Firstly, there is a giant distinction between
user rights in workstation and user rights in server. And there are
local and domain users as well as local and domain administrators.
You must be (local at least) administrator for the following to apply...

By using usrmgr (or musrmgr if you have NT workstation acting as a
"server"), and you are delegating rights by group, then you're doing the
right thing as a start, I think we'd all agree, system-administration-wise.
I think you are referring to workstation's musrmgr...

Whether or not you administer just users one by one or groups, you
should know that you can assign user/group rights in user manager
(granularly), and also assign rights in explorer at the file/directory
level (just as granular) for either users or groups, and also in windisk
(disk administrator) very granularly for users and groups, both on
workstation and server. 

This is a great source of confusion, since file/directory/shares rights
can be given from either user manager, disk administrator, and/or
explorer, and it's not clear (to me, anyway, after having worked w/nt4
for 2 yrs) which necessarily supercedes the other. The only surety is
that granularly setting disk access using disk admin will supercede all
other rights, which makes sense, if done by admin, but after that, it
can get hairy. 

Example. Create a new share (in explorer) for a hardisk partition called
drive D:  Call the share foo. Everyone has full control by default. 
While in explorer, make sure everyone retains full control to foo. In
user manager permissions, exclude everyone from every right in foo, but
give a group called FLOWERS read execute and change in foo. 

Log in as a FLOWERS member and also as a user not in the FLOWERS
group. See what happens.

And then there's the "take ownership" button which is undimmed when you
are adminstrator.

I think the point is you wouldn't notice this stuff as a cygwin user,
because we assume that we're always root (administrator on NT). Things
change when you're not root or switch back and forth, and also depend on
whether you're in a standalone (workgroup) or domain environment in NT. 

PS - thanks to all for the very informative registry and .bashrc stuff
on the list this past month.

-Harold


> 
> It's easier than you think, but not at all obvious what to do.  Start up
> "User Manager", and select "Policies/User Rights" from the menubar.  There
> you get to assign specific rights to groups of users (eg, "Administrators",
> "Power Users", "Everyone", etc).  There is a little radio box at the bottom
> of the form which you should select in order to show all assignable rights.
> Then you can go through and pick out the right ones, and assign them to
> who-ever is running the software.


-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]