Problem creating custom group

Topic

New Reply

Hi,

I’m wanting to create a custom local group which has the same permissions as the Users group, but I seem to have hit a snag.

I went to Computer Management, Local Users and Groups, Groups, and created a group named TestGroup, and then made it a member of the Users group, with the expectation that it would inherit the access of the Users group. I then created a test user named Test, and made it a member of TestGroup. I was thinking it would have the same access as any other account which is a member of Users, but it doesn’t seem to. What am I doing wrong, and/or is there a workaround? I want to be able to use AppLocker to control access to files, by group membership, not by user.

–Scott.

Reply | Quote

Replies

Where are you creating these groups?
What access does Users have that Test doesn’t?

cheers, Paul

Reply | Quote

Where are you creating these groups?

Computer Management. I’ve attached a screenshot.

45575-TestGroup

What access does Users have that Test doesn’t?

I can’t log on with that user. When I add “Users” to the memberships, I can log on, but when I remove “Users” from the memberships and switch back to look, lots of the tiles go blank (“X”).

–Scott.

Reply | Quote

Computer Management. I’ve attached a screenshot.

I was intrigued, and as I haven’t played with groups under W10, thought I’d have a go. I am confused by your screenshot: you appear to have text in the description box that (based on my experience) you must have typed in – is that the case? I can see no way to tell Windows that a group inherits another group’s permissions, so am puzzled by your statement to that effect.

I can’t log on with that user. When I add “Users” to the memberships, I can log on

I concur, that removing my test user from ‘users’ prevented logging in – I guess because the test user then has almost no permissions, apart from any specific folders you may have (as administrator) granted permission to.

To achieve what you want, I believe you have to leave your test user as a member of ‘users’ as well as ‘test’, then remove the user-group permissions from folders/files you want to protect, and add the appropriate test-group ones. You do that by rt-clicking on the folders/files you want to protect, and adding or removing groups via the ‘edit’ button:
45604-snip1 add test: 45605-snip2
Then to remove ordinary user access, you have to click advanced:
45606-snip3
then click on ‘change permissions’: If you then select ‘users’ you can the try to remove them – but will (probably) get this warning:
45607-snip4-cant-remove-with-inherit-on
which is self-explanatory! You may at this stage decide to disable inheritance, as I have done here, leaving only ‘test’ with access:
45608-snip5-remove-inherit-gone-dont
but be warned: removing all inheritance
45609-snip7-dont-remove-inherit
turns off permission for all others, including the account you are using to make the changes, and (for a while) locks you out (as it did me – and I ought to know better). At this stage you have to take ownership and start over, this time converting inherited permissions into explicit ones.
45610-snip8-inherit-gone
Then you can remove the ‘users’ group:
45611-snip9-users-gone

There is then another gotcha: note that I have also removed ‘authenticated users’, as otherwise anyone who manages to log in can see the folders – but this removes me. When you (I) back out from this, attempting to even just view the folder generates a security prompt – if you are an administrator, you can get in, and the permissions will look something like this:
45612-snip10-mng-just-looking
where my ID has been added (this appears to stick). The end result should be that ordinary users can no longer read or change the folder (depending on what permissions you choose to leave intact).

So its a bit of a palaver. Be warned also, that some changes don’t take effect until you OK & back out of the permissions windows.

HTH, Martin (sorry for the random layout of the screen shots)

Reply | Quote

Try removing file access from User and grant it to Test, then add the user to both groups.

cheers, Paul

Reply | Quote

Hi Paul,

How do I remove/grant file access?

You’re implying that permissions are not inherited between groups.

I’d like to do this in a way that can be automated for a zero-touch Windows install.

–Scott.

Reply | Quote

Permissions are set on the file / directory. Right click on a file and select Properties > Security.
I don’t think permissions are inherited with local groups, but I’m only going on your description. The file permission check should confirm this.
You need to work out a solution before automating it.

cheers, Paul

Reply | Quote

Thanks for the testing and description Martin. You get my vote for dedication this month.

cheers, Paul

Reply | Quote