Results 1 to 8 of 8
  1. #1
    Lounger
    Join Date
    May 2014
    Posts
    45
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Problem creating custom group

    Hi,

    I'm wanting to create a custom local group which has the same permissions as the Users group, but I seem to have hit a snag.

    I went to Computer Management, Local Users and Groups, Groups, and created a group named TestGroup, and then made it a member of the Users group, with the expectation that it would inherit the access of the Users group. I then created a test user named Test, and made it a member of TestGroup. I was thinking it would have the same access as any other account which is a member of Users, but it doesn't seem to. What am I doing wrong, and/or is there a workaround? I want to be able to use AppLocker to control access to files, by group membership, not by user.

    --Scott.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 986 Times in 916 Posts
    Where are you creating these groups?
    What access does Users have that Test doesn't?

    cheers, Paul

  3. #3
    Lounger
    Join Date
    May 2014
    Posts
    45
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Where are you creating these groups?
    Computer Management. I've attached a screenshot.

    TestGroup.png


    What access does Users have that Test doesn't?
    I can't log on with that user. When I add "Users" to the memberships, I can log on, but when I remove "Users" from the memberships and switch back to look, lots of the tiles go blank ("X").

    --Scott.

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 986 Times in 916 Posts
    Try removing file access from User and grant it to Test, then add the user to both groups.

    cheers, Paul

  5. #5
    Lounger
    Join Date
    May 2014
    Posts
    45
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Hi Paul,

    How do I remove/grant file access?

    You're implying that permissions are not inherited between groups.

    I'd like to do this in a way that can be automated for a zero-touch Windows install.

    --Scott.

  6. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 986 Times in 916 Posts
    Permissions are set on the file / directory. Right click on a file and select Properties > Security.
    I don't think permissions are inherited with local groups, but I'm only going on your description. The file permission check should confirm this.
    You need to work out a solution before automating it.

    cheers, Paul

  7. #7
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Surrey, UK
    Posts
    163
    Thanks
    7
    Thanked 40 Times in 35 Posts
    Quote Originally Posted by Scott McNay View Post
    Computer Management. I've attached a screenshot.
    I was intrigued, and as I haven't played with groups under W10, thought I'd have a go. I am confused by your screenshot: you appear to have text in the description box that (based on my experience) you must have typed in - is that the case? I can see no way to tell Windows that a group inherits another group's permissions, so am puzzled by your statement to that effect.

    Quote Originally Posted by Scott McNay View Post
    I can't log on with that user. When I add "Users" to the memberships, I can log on <snip>
    I concur, that removing my test user from 'users' prevented logging in - I guess because the test user then has almost no permissions, apart from any specific folders you may have (as administrator) granted permission to.

    To achieve what you want, I believe you have to leave your test user as a member of 'users' as well as 'test', then remove the user-group permissions from folders/files you want to protect, and add the appropriate test-group ones. You do that by rt-clicking on the folders/files you want to protect, and adding or removing groups via the 'edit' button:
    snip1.PNG add test: snip2.PNG
    Then to remove ordinary user access, you have to click advanced:
    snip3.PNG
    then click on 'change permissions': If you then select 'users' you can the try to remove them - but will (probably) get this warning:
    snip4 cant remove with inherit on.PNG
    which is self-explanatory! You may at this stage decide to disable inheritance, as I have done here, leaving only 'test' with access:
    snip5 remove inherit (gone - dont).PNG
    but be warned: removing all inheritance
    snip7 dont remove inherit.PNG
    turns off permission for all others, including the account you are using to make the changes, and (for a while) locks you out (as it did me - and I ought to know better). At this stage you have to take ownership and start over, this time converting inherited permissions into explicit ones.
    snip8 inherit gone.PNG
    Then you can remove the 'users' group:
    snip9 users gone.PNG

    There is then another gotcha: note that I have also removed 'authenticated users', as otherwise anyone who manages to log in can see the folders - but this removes me. When you (I) back out from this, attempting to even just view the folder generates a security prompt - if you are an administrator, you can get in, and the permissions will look something like this:
    snip10 mng just looking.PNG
    where my ID has been added (this appears to stick). The end result should be that ordinary users can no longer read or change the folder (depending on what permissions you choose to leave intact).

    So its a bit of a palaver. Be warned also, that some changes don't take effect until you OK & back out of the permissions windows.

    HTH, Martin (sorry for the random layout of the screen shots)

  8. The Following User Says Thank You to mngerhold For This Useful Post:

    Paul T (2016-09-20)

  9. #8
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 986 Times in 916 Posts
    Thanks for the testing and description Martin. You get my vote for dedication this month.

    cheers, Paul

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •