L
Les Desser
Roger Abell said:
W2K SP4
Thanks
W2K SP4
Thanks
L
Les Desser
Herb Martin said:
You have expressed my own thoughts in a few words - I just could not get
at the right ones.
Groups Users and Family (my invention - in case it actually exists) are
chalk and cheese.
Users is an attribute of a logged-on profile and not what I would call a
group. It should not be possible to put an actual user into group
Users. That is a bit like grouping the residents of the UK and putting
the Prime Minister in group Human
I rest my case.
L
Les Desser
Roger Abell said:
I agree - I withdraw my original statement.
I just wish that that the definition of a group would not be muddied by
having special collections such as Users called the same as a group
created by human intelligence - see my reply to Herb a few minutes ago.
H
Herb Martin
I just wish that that the definition of a group would not be muddied by
I would really need to disagree with this (false)
distinction -- Users is indeed in every sense a
Group.
It just happens to be a Built-In Group with built-in
behavior which can be critical to getting a system
to work by default.
Even Everyone is a group in the true sense although
this class has it's own name as well: Special Groups.
(Of course it isn't a very GOOD name <grin> and
should have been called Automatic or perhaps best
would have been Dynamic Groups since the OS
automatically assigns users to the special groups
automatically and dynamically when they meet
certain conditions.)
I would really need to disagree with this (false)
distinction -- Users is indeed in every sense a
Group.
It just happens to be a Built-In Group with built-in
behavior which can be critical to getting a system
to work by default.
Even Everyone is a group in the true sense although
this class has it's own name as well: Special Groups.
(Of course it isn't a very GOOD name <grin> and
should have been called Automatic or perhaps best
would have been Dynamic Groups since the OS
automatically assigns users to the special groups
automatically and dynamically when they meet
certain conditions.)
R
Roger Abell
As Herb indicated Users is a group.
Nothing magic about it. The membership of Users is
clearly viewable, and Users contains nothing other than
what is there, clearly viewable.
Today, the use made of Users would fit IMO fairly
closely to "the group that allows its members to log
into the machine at the keyboard and use it"
In other words, the Users group is pretty much the
grouping of accounts that can use the machine.
There are groups, just plain old normal groups,
like Users. These come in two forms. The predefined
groups and what I term custom groups which have been
defined by the user/owner of the machine.
There are a couple kinds of things that are used as if
they were groups and/or that function like groups, but
over the membership in which one has no control.
These are things like Everyone, Authenticated Users,
Interactive, Network, Anonymous Users, Creator Owner,
Creator Group, Self, . .. These all have set, defined
meanings and uses, which I believe you could discover
by reading into the Resource Kits.
www.reskits.com
Nothing magic about it. The membership of Users is
clearly viewable, and Users contains nothing other than
what is there, clearly viewable.
Today, the use made of Users would fit IMO fairly
closely to "the group that allows its members to log
into the machine at the keyboard and use it"
In other words, the Users group is pretty much the
grouping of accounts that can use the machine.
There are groups, just plain old normal groups,
like Users. These come in two forms. The predefined
groups and what I term custom groups which have been
defined by the user/owner of the machine.
There are a couple kinds of things that are used as if
they were groups and/or that function like groups, but
over the membership in which one has no control.
These are things like Everyone, Authenticated Users,
Interactive, Network, Anonymous Users, Creator Owner,
Creator Group, Self, . .. These all have set, defined
meanings and uses, which I believe you could discover
by reading into the Resource Kits.
www.reskits.com
R
Roger Abell
For W2k the initial, install defaults for the security ACLs on reg vals,
folders, files, services, etc. are contained in the file setup security.inf
to be found in your c:\WINNT\security\templates folder.
If you look in this text file with notepad you will see many
lines in the [File Security] section that look like
8="c:\winnt", 2,
"D
(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)
(A;CIOI;GA;;;CO)(A;;GRGX;;;WD)"
The third and last of these is a string representation of an ACL
in a syntax called SDDL (security descriptor definition language,
about which you could search in msdn.microsoft.com for info)
The way to view what the settings actual mean is to
start / run mmc
and then under the file drop menu select to add/remove snapin
and then add to locate the Security Templates snapin.
Then, with an mmc console where you can look at templates
(these .inf files) you can open the template and see the settings
there translated into groups and the associated grants and also
inheritance. You would be snart to make a copy and do this on
the copy - as that would give you room to play.
In the SDDL above for the initial W2k permissions on winnt
dir, the initial D: means this part is the dacl (access rather than
audit ACL), the first () in it is (A;CIOI;GRGX;;;BU) which is
the spec for one ACE in the ACL, which A: Allows to Users
(the BU for built-in Users) generic read and generic execute
(the GRGX). The CIOI are specifying the inheritance attributes
of this ACE. The other principals in the remaining ACEs of
this ACL spec are PU=Power Users, BA=built-in Administrators,
SY=System, CO=Creator Owner, and WD=Everyone (aka world).
With the Security Templates snap-in it is not possible to change
the state of the running system. To do that one uses the Security
Configuration and Analysis snap-in, into which one Imports the
template (use caution, always Analyze first and consider before
doing an Apply).
If you wanted to alter all of these so that instead of granting to
Users the same would instead be granted to CustomGroup,
what one could do is
1. obtain the SID of CustomGroup
2. make a copy of this inf file, and trim out all sections except
those that you want to impact, for example trim out all except
for [File Security] (note: leave the intial header part, that is,
the [Unicode] and [Version] parts, and do not overlook removing
the seciton [Service General Setting] following files section)
3. do a global replace of BU with the SID of CustomGroup
When this altered template is applied, everyplace that there is a
grant to Users in the filesystem due to the original template's use
during intall will instead have the same grant made to CustomGroup
instead (the grant to Users will be gone). To reverse this, one
would import and apply the original template's [File Security] section.
folders, files, services, etc. are contained in the file setup security.inf
to be found in your c:\WINNT\security\templates folder.
If you look in this text file with notepad you will see many
lines in the [File Security] section that look like
8="c:\winnt", 2,
"D
(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;;GRGX;;;WD)"
The third and last of these is a string representation of an ACL
in a syntax called SDDL (security descriptor definition language,
about which you could search in msdn.microsoft.com for info)
The way to view what the settings actual mean is to
start / run mmc
and then under the file drop menu select to add/remove snapin
and then add to locate the Security Templates snapin.
Then, with an mmc console where you can look at templates
(these .inf files) you can open the template and see the settings
there translated into groups and the associated grants and also
inheritance. You would be snart to make a copy and do this on
the copy - as that would give you room to play.
In the SDDL above for the initial W2k permissions on winnt
dir, the initial D: means this part is the dacl (access rather than
audit ACL), the first () in it is (A;CIOI;GRGX;;;BU) which is
the spec for one ACE in the ACL, which A: Allows to Users
(the BU for built-in Users) generic read and generic execute
(the GRGX). The CIOI are specifying the inheritance attributes
of this ACE. The other principals in the remaining ACEs of
this ACL spec are PU=Power Users, BA=built-in Administrators,
SY=System, CO=Creator Owner, and WD=Everyone (aka world).
With the Security Templates snap-in it is not possible to change
the state of the running system. To do that one uses the Security
Configuration and Analysis snap-in, into which one Imports the
template (use caution, always Analyze first and consider before
doing an Apply).
If you wanted to alter all of these so that instead of granting to
Users the same would instead be granted to CustomGroup,
what one could do is
1. obtain the SID of CustomGroup
2. make a copy of this inf file, and trim out all sections except
those that you want to impact, for example trim out all except
for [File Security] (note: leave the intial header part, that is,
the [Unicode] and [Version] parts, and do not overlook removing
the seciton [Service General Setting] following files section)
3. do a global replace of BU with the SID of CustomGroup
When this altered template is applied, everyplace that there is a
grant to Users in the filesystem due to the original template's use
during intall will instead have the same grant made to CustomGroup
instead (the grant to Users will be gone). To reverse this, one
would import and apply the original template's [File Security] section.
H
Herb Martin
Roger Abell said:
Correct (and below too).
Strictly FYI: The names for the various group types are:
1) Built-in (Administrators, Users, Domain Admins...)
changeable but created and used by the system automatically
2) Groups (aka custom or user-defined Groups)
3) Special (dynamically assigned membership based on
current activity at the time the object resource is
OPENED -- e.g., Everyone, Network, Terminal Service
Users, Dialup Users (sp?) etc.
Groups MAY be divided into 2 or more categories:
a) Local (workstations or domain based)
b) Global (domain based only)
c) Universal (Win2000 Native mode or 2003 Server mode)
On workstations, all Built-in and user-defined Groups are
Local Groups only -- while on the domain groups can be either
Local, Global, or perhaps Universal groups.
No one knows whether Specical Groups are Global or
Local -- the really are neither, but have some of the
characteristics of each.
Technially, there is another Group type, a variation on
Local groups when the behavior changes after upgrading
the domain to Native+ mode: Domain Locals, which are
techically different than "plain Local groups on a domain"
in NT or Mixed etc mode.
--
Herb Martin
R
Roger Abell
Thanks Herb for the terminology breakdown.
It is with regret that I need mention for the OP that one will
find that the terms used by MS have "drifted" some over time.
For example, if one reads at
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_atxz.asp
one will find a slight variation on these, and that all of the
"pre-defined"s get lumped together as the category
Built-in Security Principals, and reading on one finds at
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_wdkv.asp
some meanings for the common ones of these, where the OP
should notice that some are "group-like" and some are
"user-like". The first are dynamically managed collections
of accounts, while the second are placeholders used in ACLs
that get replace dynamically at runtime with the account in use
that meets their definition.
Perhaps we should note for the OP that "principal" is the
generic term used to indicate anything that can be a trustee,
that is, the object indicated as receiving or being denied a
security access grant (and similar with auditing).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
It is with regret that I need mention for the OP that one will
find that the terms used by MS have "drifted" some over time.
For example, if one reads at
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_atxz.asp
one will find a slight variation on these, and that all of the
"pre-defined"s get lumped together as the category
Built-in Security Principals, and reading on one finds at
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdd_sec_wdkv.asp
some meanings for the common ones of these, where the OP
should notice that some are "group-like" and some are
"user-like". The first are dynamically managed collections
of accounts, while the second are placeholders used in ACLs
that get replace dynamically at runtime with the account in use
that meets their definition.
Perhaps we should note for the OP that "principal" is the
generic term used to indicate anything that can be a trustee,
that is, the object indicated as receiving or being denied a
security access grant (and similar with auditing).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
Herb Martin said:
H
Herb Martin
Perhaps we should note for the OP that "principal" is the
Drift is bad <grin>
In fact, I strongly prefer the term "security principal"
as a generic term for Groups, Users, and Computer
accounts -- all of these can be granted or denid
permission and rights related to object access and to
system functions.
<irony>
Then there is the question of "Creator/Owner" which
Microsoft calls a special group (at times) and which
I have always considered a Special User.
But on logically grounds it does qualify as Special
Group of at most one user. Ok, there is the case
where it manages to represent the Administrators
group collectively and thereby destroys all our
preceptions about Group containment rules.
(BTW, I think the developers cheated by writing
some exceptions in the code for this stuff.)
</irony>
Drift is bad <grin>
In fact, I strongly prefer the term "security principal"
as a generic term for Groups, Users, and Computer
accounts -- all of these can be granted or denid
permission and rights related to object access and to
system functions.
<irony>
Then there is the question of "Creator/Owner" which
Microsoft calls a special group (at times) and which
I have always considered a Special User.
But on logically grounds it does qualify as Special
Group of at most one user. Ok, there is the case
where it manages to represent the Administrators
group collectively and thereby destroys all our
preceptions about Group containment rules.
(BTW, I think the developers cheated by writing
some exceptions in the code for this stuff.)
</irony>
L
Les Desser
Herb Martin said:
OK - point taken, but can you justify setting a user explicitly as a
member of Users (and this the default) when they are anyway a member of
Users - not to mention the confusion to the poor punter like me, who
expects that if I then remove a user from being a member of Users then
he stops being a member of Users.
(Maybe I just need to go to someone to knock the sense out of me
After working 20+ years with the AS/400 [1] I find I must learn to stop
thinking logically)
[1] For those not that old, the AS/400 (and its parent the S/38) were
first designed by a group of academics, the operating system was then
written, and the hardware (microcode) built to satisfy the needs of the
OS. Ahhh - those were the days
L
Les Desser
Roger Abell said:
[Snip wealth of info]
I have got as far as installing the snap-in and viewing the template -
(interesting how a messy text file can look so nice when present via
GUI)
I have saved your post and will work at it later - many thanks.
L
Les Desser
Yes but not so clear...
I see a list of users (which no longer exist on my system) followed by
NT AUTHORITY\Authenticated Users (S-1-5-11)
NT AUTHORITY\INTERACTIVE (S-1-5-4)
(not sure of the bits in brackets)
I accept that for the initiated, they know that when I remove Les from
group Users, Les is STILL a members of Users because he is an
Authenticated User ... Had Les never been or allowed to be an explicit
member of Users then I think I would have cottoned on to what was going
on.
After further messing about I can give a little ground I see that
the two entries above can be merrily deleted from Users - and I think an
early responder to my initial post mentioned that the default structure
could be changed.
So I can see that if that were the case then adding individual users
into Users would have meaning.
I see I have stepped into a minefield - and the quicker I depart the
healthier it would be
But seriously, I have learnt a lot (obviously only a little of what
there is to know) and would thank all for the detailed posts - several
of which followed this one.[Snip details]
I have kept this and several other posts for further reading. Should
keep me out of mischief for a while.
I see a list of users (which no longer exist on my system) followed by
NT AUTHORITY\Authenticated Users (S-1-5-11)
NT AUTHORITY\INTERACTIVE (S-1-5-4)
(not sure of the bits in brackets)
I accept that for the initiated, they know that when I remove Les from
group Users, Les is STILL a members of Users because he is an
Authenticated User ... Had Les never been or allowed to be an explicit
member of Users then I think I would have cottoned on to what was going
on.
After further messing about I can give a little ground
I see thatthe two entries above can be merrily deleted from Users - and I think an
early responder to my initial post mentioned that the default structure
could be changed.
So I can see that if that were the case then adding individual users
into Users would have meaning.
I see I have stepped into a minefield - and the quicker I depart the
healthier it would be
But seriously, I have learnt a lot (obviously only a little of what
there is to know) and would thank all for the detailed posts - several
of which followed this one.[Snip details]
I have kept this and several other posts for further reading. Should
keep me out of mischief for a while.
R
Roger Abell [MVP]
Good luck Les - there is a lot of technology there.
If you seach on Security Configuration Toolset, and
similar on the MS site you will likely find some step by
steps on using the snap-ins.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
If you seach on Security Configuration Toolset, and
similar on the MS site you will likely find some step by
steps on using the snap-ins.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
Les Desser said:
R
Roger Abell [MVP]
<vbg> yea, rather certain they did.
For example, one sometimes sees in the docs the statement
that SYSTEM is a member of Administrators group, but that
this is just not shown in the user interface. (OK, so how does
a machine local group get nested into a machine local group?)
The Creator Owner "group" got only more clouded when
they introduced Creator Group "group".
I take a more simple approach. I think of things as Groups
if I can manage their membership, even though MS (at times)
would like some of these referenced as Built-in Groups.
To me, if I have defined it then it is a custom group and I just
say "custom group" if I want to emphasize this. Otherwise a
group is a group is good enough for me.
Then, I think of the rest (where I cannot manage the membership)
as either Special Groups (your dynamic groups which I find to be
an appealing terminology), or as placeholder principals. Then to
round things out, there are the Well Known SIDs.
Issues like the doc speaking of the SYSTEM account but the GUI
displaying the SYSTEM "account" often using the icon for a Group
does not help matters.
Maybe some day things will have completed evolution so that a
terminology that is both simple and sufficient can be established.
R
Roger Abell
An account is automatically added to users as a part of theLes Desser said:
process of defining the new account.
Hence, you do not need to add it to Users unless you have
removed it and want to readd it.
Once more, if you do not let INTERACTIVE and/or Authenticated Users
be a member of Users, then removing an account from the Users group
does in fact stop that account from being a member of Users.
If INTERACTIVE is a member of Users, then as soon as an account
has logged in locally INTERACTIVE is replaced by that account,
making the account a member of Users. Similarly with Authenticated
Users, except that as soon as an account has authenticated it becomes
a member of Authenticated Users, and hence of Users.
You can remove these from Users if you do not want this behavior.
It is actually very logical as it is. Having run VM/CMS for many years(Maybe I just need to go to someone to knock the sense out of me
After working 20+ years with the AS/400 [1] I find I must learn to stop
thinking logically)
in the distant past I would venture to say that it is equally logical as
A, B, . . . G is (was) there and that the Windows way is more well
ordered and mathematical.
[1] For those not that old, the AS/400 (and its parent the S/38) were
first designed by a group of academics, the operating system was then
written, and the hardware (microcode) built to satisfy the needs of the
OS. Ahhh - those were the days
R
Roger Abell
Les Desser said:
They are called the SIDs. These are the true, unique interal identifier
of the principal. In the case of these two, these are "well known sids"
which means that they are the same on any instance of Windows.
Most SIDs have a part in them that makes them uniquely tied to only
one instance of installed Windows.
I accept that for the initiated, they know that when I remove Les from
group Users, Les is STILL a members of Users because he is an
Authenticated User ... Had Les never been or allowed to be an explicit
member of Users then I think I would have cottoned on to what was going
on.
After further messing about I can give a little ground
the two entries above can be merrily deleted from Users - and I think an
early responder to my initial post mentioned that the default structure
could be changed.
That would be me . . .
I also cautioned that one may need to make sure that the parts, if any,
of what these were doing and which one desired to retain would need
to be otherwise provided for.
For example, if you remove these from Users, then on XP or W2k3 if
you were to enable the Guest account and allow it to log in locally you
would find that the log would be unsuccessful, unless you either added
one of these back into Users or explicitly added Guest to Users.
In early NT 4 these were not members of Users - that installation default
membership of Users started with the release of W2k.
So I can see that if that were the case then adding individual users
into Users would have meaning.
I see I have stepped into a minefield - and the quicker I depart the
healthier it would be
Not necessarily. You have likely learned a little of this OS and of
its history. Further, you have expressed such that I can see that we
agree on this. I have for years been very vocal with MS that having
these two in the default membership of Users is wrong, that it obviates
just what Users should be about, and that it make extra work for corps
where specific accounts and only those accounts are supposed to be
allowed to log in at specific machines.
No problem Les. It has been sort of a fun exchange.
. . . and if they do not, just remember the link
www.reskits.com[/QUOTE]
H
Herb Martin
Even Everyone is a group in the true sense although this class has it's
But that is precisely what Microsoft has done once you
realize that all privileges SHOULD be give through a
group, Users is a group which by default holds all
ordinary User accounts, and this Users group is used
to give the standard permissions needed to "Use the
system(s)".
Maybe a better, i.e., more specific, name -- and I am
a big proponent of proper naming -- could have been
chosen but I cannot think of a better name offhand.
(Site Link Bridges ARE misnamed, the "Local" Special
group is slightly misnamed - it should have been Direct
in contrast to Network or some such.)
This is perfectly logical -- an account does not necessarily
have to be a "user" -- it might be a service or an anonymous
type account.
It is the membership in Users that makes a user-type account
a "User" or the Computer or Domain computers in general.
--
Herb Martin
But that is precisely what Microsoft has done once you
realize that all privileges SHOULD be give through a
group, Users is a group which by default holds all
ordinary User accounts, and this Users group is used
to give the standard permissions needed to "Use the
system(s)".
Maybe a better, i.e., more specific, name -- and I am
a big proponent of proper naming -- could have been
chosen but I cannot think of a better name offhand.
(Site Link Bridges ARE misnamed, the "Local" Special
group is slightly misnamed - it should have been Direct
in contrast to Network or some such.)
(Maybe I just need to go to someone to knock the sense out of me
After working 20+ years with the AS/400 [1] I find I must learn to stop
thinking logically)
This is perfectly logical -- an account does not necessarily
have to be a "user" -- it might be a service or an anonymous
type account.
It is the membership in Users that makes a user-type account
a "User" or the Computer or Domain computers in general.
--
Herb Martin
Les Desser said:Herb Martin said:
OK - point taken, but can you justify setting a user explicitly as a
member of Users (and this the default) when they are anyway a member of
Users - not to mention the confusion to the poor punter like me, who
expects that if I then remove a user from being a member of Users then
he stops being a member of Users.
(Maybe I just need to go to someone to knock the sense out of me
After working 20+ years with the AS/400 [1] I find I must learn to stop
thinking logically)
[1] For those not that old, the AS/400 (and its parent the S/38) were
first designed by a group of academics, the operating system was then
written, and the hardware (microcode) built to satisfy the needs of the
OS. Ahhh - those were the days
H
Herb Martin
An account is automatically added to users as a part of the
Yes, and only (somewhat) knowledgeable people (e.g.,
experts or at least tyros who think themselves experts
<grin>) can get a user account out of Users.
Yes, and only (somewhat) knowledgeable people (e.g.,
experts or at least tyros who think themselves experts
<grin>) can get a user account out of Users.
H
Herb Martin
I do this OR if it can be managed like a group in the sense
that I can put it into other groups, assign it permissions etc,
and it represents conceptionally 1 or more unnamed users.
This is of course Microsoft's long standard practice of
including Special Groups in the group types discussion.
Yes, I seldom need to say "user/admin defined or custom"
group.
Yes, dynamic groups says it much more clearly -- WHY it is
special.
Never noticed that.
Of course I may be one of the few people that regularly
assigne or (more likely) DENIES access to System. said:
Actually it would hurt. Usually once a bad terminology
"sticks" it is worse to change it because then you have
the "bad terminology" and the new "good stuff" and not
only do you now have to explain the bad but explain how
it is the same as the good.
A current peeve of mine is the (correct) renaming of Primary
vs. Active Directory Integrated zone type, into Primaries
that are either "standard" or "AD integrated" .
I WOULD HAVE preferred the latter had it been used at
first - but now it just adds to the confusion.
Of course "Site Link Bridge" is so misleading that I TEACH
everyone to mentally rename it to Site Link Bridge-Group,
or Bridge-Grouping to help clarify what it does.
R
Roger Abell
I am not so sure as to how much trouble in the life of the software
result from living with bad maning conventions as compared to
having new/appropriate ones (for a time) co-exist with the ones
that are being aged out.
The ambiguity you mention on primary DNS zones, the ones that
are standard primary and the ones that are AD integrated has always
existed. I struggled with this very thing when writing Windows
2000 DNS in late 1999, eventually deciding on the tactic used just
now. If it is SOA it is primary - whether AD integrated or not, and
if not then use the "std" adjective to indicate old-school, bind type
semantics.
Sometimes I am tempted to distinguish the "special" principals
based on whether they, like Authenticated Users, cause an addition
to the user token, or whether they really are only used on the objects
being secured where they are interpreted with "special handling".
However, that is just too deep for practical, daily use.
I believe that we have the term "special" principals and "special"
groups because the naming originated with the dev from a dev
mentality - they had to right one-off, special case code to handle.
Oh, and speaking of pet peeves, my newest, as of today is the
"Malicious Software" Removal Tool, or was that the Malicious
"Software Removal" Tool ??
In future you will likely see me using the term dynamic and/or
synonomously automatic for the groups of type we have here
discussed. It is meaningful, and distinguishes well the category
from what I have terms a (normal, custom or not) group.
result from living with bad maning conventions as compared to
having new/appropriate ones (for a time) co-exist with the ones
that are being aged out.
The ambiguity you mention on primary DNS zones, the ones that
are standard primary and the ones that are AD integrated has always
existed. I struggled with this very thing when writing Windows
2000 DNS in late 1999, eventually deciding on the tactic used just
now. If it is SOA it is primary - whether AD integrated or not, and
if not then use the "std" adjective to indicate old-school, bind type
semantics.
Sometimes I am tempted to distinguish the "special" principals
based on whether they, like Authenticated Users, cause an addition
to the user token, or whether they really are only used on the objects
being secured where they are interpreted with "special handling".
However, that is just too deep for practical, daily use.
I believe that we have the term "special" principals and "special"
groups because the naming originated with the dev from a dev
mentality - they had to right one-off, special case code to handle.
Oh, and speaking of pet peeves, my newest, as of today is the
"Malicious Software" Removal Tool, or was that the Malicious
"Software Removal" Tool ??
In future you will likely see me using the term dynamic and/or
synonomously automatic for the groups of type we have here
discussed. It is meaningful, and distinguishes well the category
from what I have terms a (normal, custom or not) group.