Realation between Guests and Users groups

  • Thread starter Thread starter Martin Plechsmid
  • Start date Start date
M

Martin Plechsmid

Hello,

I may have a trivial question.

The Guests group should be much more restricted then the Users group,
according to documentation. However, I tested this on my computer (WinXP
SP3) with a user that is in the Guests group but not simultaneously in the
Users group. The user seems to have the same privileges as if he were in the
Users group. (I.e. I can see and modify files, execute any programs
including internet browser etc.)

In particular, on my hard disks I never have privileges specified
explicitely for the Guests group. But the user obtains the rights that are
specified for the Users group. As if the Guests group was a member of the
Users group (but it is not).

So, what is the relation between the Guests and Users groups?

My system is WinXP Pro SP3 with default security settings (i.e. I have not
modified the privileges on disk folders nor the hierarchy in user groups).

Thank you,
Martin.
 
Martin said:
Hello,

I may have a trivial question.

The Guests group should be much more restricted then the Users group,
according to documentation. However, I tested this on my computer (WinXP
SP3) with a user that is in the Guests group but not simultaneously in the
Users group. The user seems to have the same privileges as if he were in the
Users group. (I.e. I can see and modify files, execute any programs
including internet browser etc.)

In particular, on my hard disks I never have privileges specified
explicitely for the Guests group. But the user obtains the rights that are
specified for the Users group. As if the Guests group was a member of the
Users group (but it is not).

So, what is the relation between the Guests and Users groups?

My system is WinXP Pro SP3 with default security settings (i.e. I have not
modified the privileges on disk folders nor the hierarchy in user groups).

When looking at your permissions keep in mind that "Everyone" includes
"Guests".

John
 
The Guests group should be much more restricted then the Users
group, according to documentation.

What documentation says this?
You aren't confusing the "Guests" group with the "Guest" user, are you?
In particular, on my hard disks I never have privileges specified
explicitely for the Guests group. But the user obtains the rights
that are specified for the Users group. As if the Guests group was
a member of the Users group (but it is not).

So, what is the relation between the Guests and Users groups?

In the computer management console (Start -> Run -> "compmgmt.msc")
Under System Tools -> Local Users and Groups -> Groups

The description of the "Guests" group reads:
"Guests have the same access as members of the Users group by default,
except for the Guest account which is further restricted."

HTH,
John
 
No, I don't confuse Guest and Guests. And I'm aware that Everyone includes
Guests.

Look, for instance, at "C:\Windows" and choose Properties - Security -
Advanced. There you'll see permissions for Administrators, System, Owner,
Users and PowerUsers, all non-inherited. No privilege for Guests (nor
Everyone), though users in Guests group see the folder and file content
without any problem. That's what I'm talking about.
So, where the privileges for Guests come from?

Thank you,
Martin.
 
Look, for instance, at "C:\Windows" and choose Properties -
Security - Advanced. There you'll see permissions for
Administrators, System, Owner, Users and PowerUsers, all
non-inherited. No privilege for Guests (nor Everyone), though
users in Guests group see the folder and file content without any
problem. That's what I'm talking about. So, where the privileges
for Guests come from?

Martin,

That makes your question much clearer.
The best answer I have found comes from the article:

"Managing Authorization and Access Control"
<http://technet.microsoft.com/en-us/library/bb457115.aspx>

It seems to indicate that with a couple of exceptions the "Groups" and
"Users" groups are essentially one-in-the-same:

<quote>
Guests

By default, members of the Guests group are denied access to the
application and system event logs. Otherwise, members of the Guests
group have the same access rights as members of the Users group. This
allows occasional or one-time users to log on to a workstation’s built-
in Guest account and be granted limited abilities. Members of the
Guests group can also shut down the system.

Note: The Guest account, which is a member of the Guests group by
default, is not an authenticated user. When logged on interactively,
the Guest account is a member of both the Guests group and the Users
group. However, when logged on over the network, the Guest account is
not a member of the Users group.

</quote>

Hope this helps,
John
 
Thank you for the link. Though still very unclear, it is a better document
than any I have found.

Martin.
 
Back
Top