locked
Users in More Than One Local Group RRS feed

  • Question

  • Hello,

    We have servers (Windows Server 2003) in which a single user is in more than one local group.  For example, there will be a user in both the Administrators and Power Users groups.  I don't know why this was set up like this, but I'm wondering what are the pros and cons of this situation (if any).

    What permissions are granted to the user--Administrators or Power Users?  That is, does Windows give the user the most or least restrictive permissions?

    Any other issues that we should be aware of given this scenario?

    Thanks.
     
    Monday, August 11, 2008 2:27 PM

Answers

  • The user's effective rights will be equal to whatever is granted by each group.  In your example the Administrators group grants many more rights than the Power Users group, so that assignment is a bit redundant.  But if any non-default permission or access to resoruces were assigned to that Power Users group that were not assigned to the Administrator group, then they are not redundnant.  The only way to know for sure would be to perform a full security audit of your servers and resources.  There is no harm in leaving the group assignment on existing users.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging
    • Proposed as answer by Chang Yin Wednesday, August 13, 2008 7:08 AM
    • Marked as answer by Chang Yin Monday, August 18, 2008 11:34 AM
    Monday, August 11, 2008 9:52 PM
  • To add to Jeff's reply, the only exception is explicit denies.
    If one group is assigned an allow permission, and another group is assigned a deny permission, the deny will take precedence.
    In your case, you are talking about built-in groups, so there are no explicit denies that come to me now.
    Brian
    • Proposed as answer by Chang Yin Wednesday, August 13, 2008 7:08 AM
    • Marked as answer by Chang Yin Monday, August 18, 2008 11:34 AM
    Wednesday, August 13, 2008 2:43 AM

All replies

  • The user's effective rights will be equal to whatever is granted by each group.  In your example the Administrators group grants many more rights than the Power Users group, so that assignment is a bit redundant.  But if any non-default permission or access to resoruces were assigned to that Power Users group that were not assigned to the Administrator group, then they are not redundnant.  The only way to know for sure would be to perform a full security audit of your servers and resources.  There is no harm in leaving the group assignment on existing users.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging
    • Proposed as answer by Chang Yin Wednesday, August 13, 2008 7:08 AM
    • Marked as answer by Chang Yin Monday, August 18, 2008 11:34 AM
    Monday, August 11, 2008 9:52 PM
  • To add to Jeff's reply, the only exception is explicit denies.
    If one group is assigned an allow permission, and another group is assigned a deny permission, the deny will take precedence.
    In your case, you are talking about built-in groups, so there are no explicit denies that come to me now.
    Brian
    • Proposed as answer by Chang Yin Wednesday, August 13, 2008 7:08 AM
    • Marked as answer by Chang Yin Monday, August 18, 2008 11:34 AM
    Wednesday, August 13, 2008 2:43 AM