WINDOWS 1002000 PROFESSIONAL RESOURCE KIT [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

WINDOWS 1002000 PROFESSIONAL RESOURCE KIT [Electronic resources] - نسخه متنی

Chris Aschauer

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Cover

Acknowledgments

Introduction

Document Conventions

Resource Kit Compact Disc

Resource Kit Support Policy

Part I: Overview

Chapter 1 -- Introducing Windows 2000 Professional

Quick Guide to Using Windows 2000 Professional

Overview

Deployment and Installation

Configuration and Management

Networking

Interoperability

Performance Monitoring

Troubleshooting

Accessibility

Where to Find More Information in this Book

Additional Resources

Chapter 2 -- Using Windows 2000 Professional with Windows 2000 Server

Quick Guide to Using Windows 2000 Professional with Windows 2000 Server

Centralized Deployment

Centralized Administration

Advanced Security

Robust Networking Infrastructure

Interoperability with Other Networks

Additional Resources

Part II: Deployment and Installation

Chapter 3 -- Deploying Windows 2000 Professional

Quick Guide to Deploying Windows 2000 Professional

Mapping Your Needs to Windows 2000 Professional

Planning Your Deployment

Determining a Preferred Client Configuration

Assessing Your Current Network Infrastructure

Determining a Client Connectivity Strategy

Determining Implementation Methods

Testing Your Deployment Plan

Conducting a Pilot

Preparing for the Rollout

Chapter 4 -- Installing Windows 2000 Professional

Quick Guide

What's New

Planning Your Installation

Running Setup

Post-Installation Tasks

Additional Resources

Chapter 5 -- Customizing and Automating Installations

Quick Guide to Customizing and Automating Installations

Overview of Customizing and Automating Installations

Step 1: Plan

Step 2: Prepare

Step 3: Customize

Step 4: Deploy

Additional Resources

Chapter 6 -- Setup and Startup

Quick Guide to Setup and Startup

Phases of Setup

Windows 2000 Professional Startup Process

Plug and Play Device Detection

Installing a Multiple-Boot Operating System

Installing Service Packs

Removing Windows 2000 Professional from Your Computer

Troubleshooting Windows 2000 Professional Setup

Part III: System Configuration and Management

Chapter 7 -- Introduction to Configuration and Management

Quick Guide to Workstation Configuration and Management

What's New

Managing Windows 2000 Professional in a Windows 2000 Server Environment

Managing Windows 2000 Professional in a Non-Windows 2000 Environment

Managing Users and Groups

Group Policy

Management Tools

Managing Windows 2000 Professional in a Multilanguage Environment

Making Windows 2000 Professional More Accessible

Chapter 8 -- Customizing the Desktop

Quick Guide to Customizing the Desktop

Overview of Desktop Customization and Configuration

Defining Desktop Administration Standards

Implementing Custom Desktops in a Windows 2000 Server Network

Implementing Custom Desktop Configurations in Non-Windows 2000 Server Networks

Using Group Policy Settings for Desktop Control

Desktop Shortcuts and Icons

Active Desktop and Wallpaper Settings

Start and Programs Menus

Customizing the Taskbar and Toolbars

Limiting Access to Display Options

Screen Saver Group Policy Settings

Restoring the Original Configuration

Choosing a New User Interface

Troubleshooting

Additional Resources

Chapter 9 -- Managing Files, Folders, and Search Methods

Quick Guide to Files, Folders, and Search Methods

What's New

Windows 2000 Server Network Advantages

Working with Files and Folders

Customizing Folders

Using Offline Files and Folders

Searching for Files, Folders, and Network Resources

Troubleshooting

Additional Resources

Chapter 10 -- Mobile Computing

Mobile Computing Quick Guide

What's New

Setting Up a Portable Computer

Configuring Offline Files for Portable Computers

Configuring Power Management

Managing Hardware on Portable Computers

Security Considerations for Portable Computers

Folder Redirection and Configuring Roaming User Profiles

Hardware Issues Related to Portable Computers

Chapter 11 -- Multimedia

Quick Guide to Multimedia

What's New

Optimizing Workstations for Multimedia

Using Multimedia Effectively

Troubleshooting Multimedia

Additional Resources

Chapter 12 -- Telephony and Conferencing

Quick Guide to Telephony and Conferencing

Overview of Telephony and Conferencing

Configuring Telephony and Conferencing

Troubleshooting

Additional Resources

Chapter 13 -- Security

Quick Guide to Security

What's New

Planning for Security

User Authentication

Security Groups, User Rights, and Permissions

Security Policy

Security Templates

Remote Access

Internet Protocol Security

Encrypting File System

Public Key Technology

Protecting User Data on Portable Computers

Additional Resources

Chapter 14 -- Printing

Quick Guide to Printing

What's New

Finding Printers

Installing Printers

Configuring Printers

Creating and Sending Print Jobs

Monitoring and Managing Print Jobs

Printer Pooling

Printing Concepts

Troubleshooting Printing Problems

Additional Resources

Chapter 15 -- Scanners and Cameras

Quick Guide to Scanners and Cameras

What's New

Installing Scanners and Cameras

Configuring Scanners and Cameras

Scanner and Camera Concepts

Troubleshooting

Chapter 16 -- Fonts

Quick Guide to Fonts

What's New

Installing Fonts

Managing Installed Fonts

Character Set Types

Supported Code Pages

Troubleshooting Font Problems

Chapter 17 -- File Systems

Quick Guide to File Systems

Overview of Windows 2000 File Systems

File System Comparisons

FAT

NTFS

Compact Disc File System

Universal Disk Format

Using Long File Names

File System Tools

Chapter 18 -- Removable Storage and Backup

Quick Guide to Removable Storage

Overview of Removable Storage

Administering Removable Storage

Troubleshooting Removable Storage

Overview of Backups

Establishing a Backup Plan

Backing Up System State Data

Using the Backup Tool

Chapter 19 -- Device Management

Quick Guide to Device Management

What's New

Device Tree

Plug and Play

Device Installation

Configuring Device Settings

Troubleshooting Device Management

Additional Resources

Chapter 20 -- Power Management

Quick Guide to Power Management

Overview of Power Management

Power Management Features

Understanding the Advanced Configuration and Power Interface

Using the Power Management Interface

Troubleshooting Power Management

Additional Resources

Part IV: Network Configuration and Management

Chapter 21 -- Local and Remote Network Connections

Quick Guide to Local and Remote Network Connections

Overview of Local and Remote Network Connections

Creating, Configuring, and Monitoring Connections

Remote Network Security

Group Policies for Network and Dial-up Connections

Internet Connection Sharing

Internet Connection Sharing Scenario: Connecting Your Branch Office's Intranet to the Internet

Troubleshooting

Chapter 22 -- TCP/IP in Windows 2000 Professional

TCP/IP Configuration Quick Guide

Overview of Windows 2000 TCP/IP

Install TCP/IP

Configure IP Address Assignment

Configure TCP/IP Name Resolution

Configure Multihoming

Configure Local IP Routing Table

Configure Internet Connection Sharing

Configure IP Security and Filtering

Configure Quality of Service

Perform TCP/IP Troubleshooting

Additional Resources

Chapter 23 -- Windows 2000 Professional on Microsoft Networks

Quick Guide to Windows 2000 Professional on Microsoft Networks

Overview of Microsoft Networking

Configure Transport Protocols

Join Network Environment

Confirm Group Membership

Troubleshooting Microsoft Networking

Part V: Network Interoperability

Chapter 24 -- Interoperability with NetWare

Quick Guide to NetWare Interoperability

Overview of Windows 2000 Professional and NetWare Connectivity

Client Service and Gateway Service

Configuring Client Service for NetWare

Accessing NetWare Resources

NetWare Administration Through Windows 2000 Professional

Windows 2000 Professional and NetWare Security

NWLink

Troubleshooting Windows 2000 Professional and NetWare Connectivity

Chapter 25 -- Interoperability with UNIX

Quick Guide to UNIX Interoperability

Overview of Windows 2000 Professional and UNIX Connectivity

Planning and Installing Services for UNIX on Windows 2000 Professional

Configuring Services for UNIX on Windows 2000 Professional

Tools

Troubleshooting

Chapter 26 -- Interoperability with IBM Host Systems

Quick Guide to Interoperability with IBM Host Systems

Overview of Interoperability with IBM Host Systems

DLC Protocol

SNA Server Client and Components

Network Management Integration

Windows 2000 Professional and IBM Host Security

Troubleshooting

Part VI: Performance Monitoring

Chapter 27 -- Overview of Performance Monitoring

Quick Guide to Monitoring Performance

Performance Monitoring Concepts

Monitoring Tools

Starting Your Monitoring Routine

Analyzing Monitoring Results

Investigating Bottlenecks

Troubleshooting Problems with Performance Tools

Monitoring Remote Computers

Monitoring Legacy Applications

Integrating the System Monitor Control into Office and Other Applications

Chapter 28 -- Evaluating Memory and Cache Usage

Quick Guide to Monitoring Memory

Overview of Memory Monitoring

Determining the Amount of Installed Memory

Understanding Memory and the File System Cache

Establishing a Baseline for Memory

Investigating Memory Problems

Resolving Memory and Cache Bottlenecks

Additional Resources

Chapter 29 -- Analyzing Processor Activity

Quick Guide to Monitoring Processors

Overview of Processor Monitoring and Analysis

Establishing a Baseline for Processor Performance

Recognizing a Processor Bottleneck

Processes in a Bottleneck

Threads in a Bottleneck

Advanced Topic: Changing Thread Priority to Improve Performance

Eliminating a Processor Bottleneck

Additional Resources

Chapter 30 -- Examining and Tuning Disk Performance

Quick Guide to Monitoring Disks

Disk Monitoring Concepts

Configuring the Disk and File System for Performance

Working with Disk Counters

Establishing a Baseline for Disk Usage

Investigating Disk Performance Problems

Resolving Disk Bottlenecks

Evaluating Cache and Disk Usage by Applications

Part VII: Troubleshooting

Chapter 31 -- Troubleshooting Tools and Strategies

Quick Guide to Troubleshooting

General Troubleshooting Strategy

Startup and Recovery Tools

Maintenance and Update Tools

System File and Driver Tools

Applications Tools

Networking Tools

Troubleshooting Procedures

Chapter 32 -- Disk Concepts and Troubleshooting

Quick Guide to Disk Concepts

Basic and Dynamic Disks

Disk Sectors Critical to Startup

Troubleshooting Disk Problems

Additional Resources

Chapter 33 -- Windows 2000 Stop Messages

System Messages

Stop Messages

Troubleshooting Stop Messages

Hardware Malfunction Messages

Additional Resources

Appendix A -- Accessibility for People with Disabilities

Quick Guide to Accessibility for People with Disabilities

Overview of Accessibility in Windows 2000 Professional

Customizing Computers for Accessibility

Setting Accessibility Options by Type of Disability

Configuring Accessibility Features

Adding Third-Party Products and Services

Additional Resources

Appendix B -- Sample Answer Files for Windows 2000 Professional Setup

Answer File Format

Answer File Keys and Values

Sample Answer Files

Additional Resources

Appendix C -- Hardware Support

Overview of Hardware Support

Universal Serial Bus

IEEE 1394

Supporting Other Buses

New and Enhanced Hardware Support

Troubleshooting Hardware Support Components

Additional Resources

Glossary

3

5

8

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W
توضیحات
افزودن یادداشت جدید







Security Groups, User Rights, and Permissions


Security groups, user rights and permissions provide powerful security management. Management can be high-level, allowing you to manage security for numerous resources, while at the same time it can be fine-grained, allowing specific control of files and folders and user rights.

Security Groups


Windows 2000 allows you to organize users and other objects into groups for easy access permission administration. Defining security groups is a major security task. Security groups can be described according to their scope, such as Global groups or Universal groups, as well as according to their purpose, rights, and role, such as the Everyone group or the Administrators group.

The Windows 2000 security groups let you assign the same security permissions to large numbers of users. This ensures consistent security permissions across all members of a group. Using security groups to assign permissions means the access control on resources remains fairly static and easy to control and audit. Users who need access are added or removed from the appropriate security groups as needed, and the access control lists change infrequently.

How Security Groups Work


Depending on the environment you are working in, you might encounter any of the four main types of security groups:


    Domain local groups, which are best used for granting access rights to resources such as file systems or printers that are located on any computer in the domain where common access permissions are required.

    Global groups, which are used for combining users who share a common access profile based on job function or business role.

    Universal groups, which are used in larger, multi-domain organizations where there is a need to grant access to similar groups of accounts defined in multiple domains. Universal groups are used only in multiple domain trees or forests that have a global catalog.

    Computer local groups, which are security groups specific to a computer and not recognized elsewhere in the domain.


For more information about working with the four different types of groups, see the Deployment Planning Guide.

Permissions of Security Groups


Windows 2000 includes a number of preconfigured groups including the following:


    Guests: This group allows occasional or one-time users to log on to a workstation's built-in Guest account and be granted limited abilities. Members of the Guest group can also shut down the system. The built-in guest account is disabled by default.

    Users: Members of this group (normal authenticated users) do not have broad read/write permission as they did in Windows NT 4.0. These users have read-only permission for most parts of the system and read/write permission in their own profile folders. Users cannot read other users' data, install applications that require modification of system directories, or perform administrative tasks.

    Power Users: Members of this group have all the access permissions that Users and Power Users had in Windows NT 4.0. Power Users have read/write permission to other parts of the system in addition to their own profile folders. Power Users can install applications and perform many administrative tasks. If you are running applications that have not been certified for use with Windows 2000, users will need to have Power User privileges.

    Backup Operators: Members of this group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.

    Administrators: Members of this group have total control of the desktop, allowing them to complete all tasks. Members of the Administrators group have the same level of rights and permissions they did for Windows NT 4.0. There is also a built-in administrator account that allows administration of the computer. The administrator account is the first account that is created when Windows 2000 is installed.


Prerequisites for Implementing Security Groups


Security groups are a built-in feature of Windows 2000. No special installation or prerequisite is required.

Implementing Security Groups


To create new users and place them in Security groups, use the Computer Management snap-in of MMC. For more information about creating new users, see Windows 2000 Professional Help.

User Rights


Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system or backing up files and directories. User rights are different from permissions because user rights apply to user accounts, and permissions are attached to objects (such as printers or folders). For information about permissions, see "How Inheritance Affects Permissions" later in this chapter.

User rights can be applied to individual users or to user groups. It is simplest to apply rights to user groups because all users who belong to the group will inherit the rights you grant to the group. It is also possible to apply rights to each user, but this requires more administration because you will have to set rights for each user.

User rights that are assigned to a group are applied to all members of the group while they remain members. If a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to one group might conflict with those assigned to another is in the case of certain logon rights. In general, however, user rights assigned to one group do not conflict with the rights assigned to another group. To remove rights from a user, the administrator simply removes the user from the group.

To Assign User Rights to Groups


    Open the Group Policy snap-in to MMC.

    Double-click the User right you want to assign to a group. Many user rights are in User Rights Assignment.

    Click Add, and then enter the group or groups to which you want to grant this permission. Click Check Names to confirm that group names are recognized.


There are two types of user rights:


    Privileges: A right which is assigned to a user and specifies allowable actions on the network. An example of a privilege is the right to back up files and directories.

    Logon rights: A right which is assigned to a user and specifies the ways in which a user can log on to a system. An example of a logon right is the right to log on to a system locally.


Privileges

Some privileges can override permissions set on an object. For example, a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. However, this requires the ability to read all files on those servers, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user right, in this case, the right to perform a backup, takes precedence over all file and directory permissions.

Table 13.4 shows the privileges that can be assigned to a user by setting user rights. These privileges can be managed with the User Rights policy.

Table 13.4 Privileges That Can Be Assigned to a User










































































































PrivilegeDescription
Act as part of the operating system

This privilege allows a process to authenticate as any user, and therefore gain access to resources under any user identity. Only low-level authentication services should require this privilege.

The user or process that is granted this privilege might create security tokens that grant them more rights than their normal user profile provides. This includes granting themselves all access as anonymous users, which defeats attempts to audit the identity of the token's user. Do not grant this privilege unless you are certain it is needed.

Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.

Add workstations to a domainAllows the user to add a computer to a specific domain. The user specifies the domain on the computer being added, creating an object in the Computer container of Active Directory.
Back up files and directoriesAllows the user to circumvent file and directory permissions to back up the system. Specifically, the privilege is similar to granting the following permissions on all files and folders on the local computer: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, and Read Permissions. For more information, see "Customizing the Desktop" in this book.
Bypass traverse checkingAllows the user to pass through directories to which the user otherwise has no access, while navigating an object path in any Windows file system or in the registry. This privilege does not allow the user to list the contents of a directory, only to traverse directories.
Change the system timeAllows the user to set the time for the internal clock of the computer.
Create a token object

Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.

It is recommended that processes requiring this privilege use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege assigned.

Create permanent shared objectsAllows a process to create a directory object in the Windows 2000 object manager. This privilege is useful to kernel-mode components that plan to extend the Windows 2000 object name space. Because components running in kernel mode already have this privilege assigned to them, it is not necessary to specifically assign this privilege.
Create a pagefileAllows the user to create and change the size of a pagefile. This is done by specifying a paging file size for a given drive in the Performance Options dialog box, which is accessible through the System Properties dialog box.
Debug programsAllows the user to attach a debugger to any process. This privilege provides powerful access to sensitive and critical system operating components.
Enable Trusted for Delegation on user and computer accountsAllows the user to set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process either running on a computer that is trusted for delegation or run by a user who is trusted for delegation can access resources on another computer. This uses a client's delegated credentials, as long as the client account does not have the Account Cannot Be Delegated account control flag set. Misuse of this privilege or of the Trusted for Delegation settings might make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
Force shutdown of a remote systemAllows a user to shut down a computer from a remote location on the network.
Generate security auditsAllows a process to make entries in the security log for object access auditing. The process can also generate other security audits. The security log is used to trace unauthorized system access.
Increase quotasAllows a process with write property access to another process to increase the processor quota assigned to that other process. This privilege is useful for system tuning, but can be abused, as in a denial-of-service attack.
Increase scheduling priorityAllows a process with write property access to another process to increase the execution priority of that other process. A user with this privilege can change the scheduling priority of a process through Task Manager.
Load and unload device driversAllows a user to install and uninstall Plug and Play device drivers. Device drivers that are not Plug and Play are not affected by this privilege and can only be installed by administrators. Because device drivers run as trusted (highly-privileged) programs, this privilege might be misused to install hostile programs and give these programs destructive access to resources.
Lock pages in memoryAllows a process to keep data in physical memory, preventing the system from paging the data to virtual memory on disk. Exercising this privilege might significantly affect system performance. This privilege is obsolete and is therefore never checked.
Manage auditing and security log

Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in the computerwide audit policy settings under Security Policy or under Security Policy defined in Active Directory. This privilege does not grant access to the computer-wide audit policy.

A user with this privilege can also view and clear the security log from the Event Viewer.

Modify firmware environment valuesAllows modification of the system environment variables, either by a user through the System Properties or by a process.
Profile a single processAllows a user to use Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of non-system processes.
Profile system performanceAllows a user to use Windows NT and Windows 2000 performance-monitoring tools to monitor the performance of system processes.
Remove a computer from docking stationAllows a user to undock a portable computer with the Windows 2000 user interface.
Replace a process-level tokenAllows a process to replace the default token associated with a sub-process that has been started.
Restore files and directoriesAllows a user to circumvent file and directory permissions when restoring backed up files and directories, and to set any valid security principal as the owner of an object. See also the Back up files and directories privilege.
Shut down the systemAllows a user to shut down the local computer.
Take ownership of files or other objectsAllows a user to take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

For more information, see "Security Policy" later in this chapter.

Logon Rights

Logon rights can be assigned to a user and managed with the User Rights policy. Logon rights are assigned to users and specify the ways in which a user can log on to a system.

Table 13.5 lists and describes Windows 2000 logon rights.

Table 13.5 Windows 2000 Professional Default Logon Rights






































Logon RightDescription
Access this computer from a networkAllows a user to connect to the computer over the network. By default, this privilege is granted to Administrators, Everyone, and Power Users.
Deny access to this computerDenies a user the ability to connect to the computer over the network. By default, this privilege is not granted to anyone from the network.
Log on as a batch jobAllows a user to log on using a batch-queue facility. By default, this privilege is granted to Administrators.
Deny log on as a batch jobDenies a user the ability to log on using a batch-queue facility. By default, this privilege is granted to no one.
Log on as a serviceAllows a security principal to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone.
Deny logon as a serviceDenies a security principal the ability to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone.
Log on locallyAllows a user to log on at the computer's keyboard. By default, this right is granted to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.
Deny log on locallyDenies a user the ability to log on at the computer's keyboard. By default, this right is granted no one.

Permissions


You can assign permissions to files or folders and determine what can be done to those resources. Note that you cannot assign rights to files or folders.

For information about how to set file or folder permissions, see Windows 2000 Professional Help.

To Set File or Folder Permissions


    Open Windows Explorer, and then locate the file or folder for which you want to set permissions.

    Right-click the file or folder, click Properties, and then click the Security tab.

    To set up permissions for a new group or user, click Add. Type the name of the group or user you want to set permissions for using the format domainnamename, and then click OK to close the dialog box.

    - Or -

    To change or remove permissions from an existing group or user, click the name of the group or user.

    In Permissions, click Allow or Deny for each permission you want to allow or deny.

    - Or -

    To remove the group or user from the permissions list, click Remove.


How Inheritance Affects Permissions


After you set permissions on a folder, new files and subfolders created in the folder inherit these permissions unless you configure this not to happen.

To Prevent A Folder from Imposing Permissions on New Files or Folders


    In My Computer, right-click the folder in question, and then click Properties.

    On the Security tab, click Advanced.

    Select a permission entry from the Permissions Entries list, and then click View/Edit.

    Select an alternate inheritance behavior from the Apply onto drop-down list.


To Prevent New Files or Folders from Inheriting Permissions


    Using My Computer, right-click the folder in question, and then click Properties.

    On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box.


If the check boxes appear shaded, the file or folder has inherited permissions from the parent folder. There are three ways to make changes to inherited permissions:


    Make the changes to the parent folder, and then the file or folder will inherit these permissions.

    Select the opposite permission (Allow or Deny) to override the inherited permission.

    Clear the Allow inheritable permissions from parent to propagate to this object check box. Now you can make changes to the permissions or remove the user or group from the permissions list. However, the file or folder will no longer inherit permissions from the parent folder.


If neither Allow nor Deny is selected for a permission, then the group or user might have obtained the permission through group membership. If the group or user has not obtained the permission through membership in another group, the group or user is implicitly denied the permission. To explicitly allow or deny the permission, click the appropriate check box.

Default Settings


The following section describes the default permissions provided to different users.

Default File System and Registry Permissions

Table 13.6 describes the default file system and registry permissions.

Table 13.6 Default Settings for User Write Access
































ObjectPermissionDescription
HKEY_Current_UserFull ControlUser's portion of the registry.
%UserProfile%Full ControlUser's Profile directory.
All UsersDocumentsRead, Create FileAllows Users to create files that can subsequently be read (but not modified) by other Users.
%Windir%TempSynchronize, Traverse, Add File, Add SubdirEach computer has one temporary directory for use by service-based applications that use this directory to improve performance.
(Root Directory)Not Configured during setupNo permissions are applied to the root level of the directory because the Windows 2000 ACL Inheritance model would cause any root level permissions to affect all child objects, including those outside the scope of setup.

File System Permissions for Power Users and Users

Table 13.7 describes the default access control settings that are applied to file system objects for Power Users and Users during a clean installation of the Windows 2000 operating system onto an NTFS partition. For directories, unless otherwise stated (in parentheses), the permissions apply to the directory, subdirectories, and files.


    %systemdir% refers to %windir%system32.

    *.* refers to the files (not directories) contained in a directory.

    RX means Read and Execute.


Table 13.7 Default Access Control Settings for File System Objects













































































































































































































































File System ObjectDefault Power User PermissionsDefault User Permissions
c:boot.iniRXNone
c:ntdetect.comRXNone
c:ntldrRXNone
c:ntbootdd.sysRXNone
c:autoexec.batModifyRX
c:config.sysModifyRX
ProgramFilesModifyRX
%windir%ModifyRX
%windir%*.*RXRX
%windir%config*.*RXRX
%windir%cursors*.*RXRX
%windir%TempModifySynchronize, Traverse, Add File, Add Subdir
%windir%repairModifyList
%windir%addinsModify (DirSubdirs) RX (Files)RX
%windir%Connection WizardModify (DirSubdirs) RX (Files)RX
%windir%fonts*.*RXRX
%windir%help*.*RXRX
%windir%inf*.*RXRX
%windir%javaModify (DirSubdirs) RX (Files)RX
%windir%media*.*RXRX
%windir%msagentModify (DirSubdirs) RX (Files)RX
%windir%securityRXRX
%windir%speechModify (DirSubdirs) RX (Files)RX
%windir%system*.*Read, ExecuteRX
%windir%twain_32Modify (DirSubdirs) RX (Files)RX
%windir%WebModify (DirSubdirs) RX (Files)RX
%systemdir%ModifyRX
%systemdir%*.*RXRX
%systemdir%configListList
%systemdir%dhcpRXRX
%systemdir%dllcacheNoneNone
%systemdir%driversRXRX
%systemdir%CatRootModify (DirSubdirs) RX (Files)RX
%systemdir%iasModify (DirSubdirs) RX (Files)RX
%systemdir%muiModify (DirSubdirs) RX (Files)RX
%systemdir%OS2*.*RXRX
%systemdir%OS2DLL*.*RXRX
%systemdir%RAS*.*RXRX
%systemdir%ShellExtModify (DirSubdirs) RX (Files)RX

%systemdir%Viewers*.*

RXRX
%systemdir%wbemModify (DirSubdirs) RX (Files)RX

%systemdir%wbemmof

ModifyRX
%UserProfile%Full ControlFull Control
All UsersModifyRead
All UsersDocumentsModifyRead, Create File
All UsersApplication DataModifyRead

Note that a Power User can write new files into the following directories but cannot modify the files that are installed there during text-mode setup. Furthermore, all other Power Users inherit Modify permissions on files created in these directories.


    %windir%

    %windir%config

    %windir%cursors

    %windir%fonts

    %windir%help

    %windir%inf

    %windir%media

    %windir%system

    %systemdir%

    %systemdir%OS2

    %systemdir%OS2DLL

    %systemdir%RAS

    %systemdir%Viewers


For directories designated as [Modify (DirSubdirs) RX (Files)], Power Users can write new files; however, other Power Users will only have read access to those files.

Registry Permissions for Power Users and Users

Table 13.8 describes the default access control settings that are applied to registry objects for Power Users and Users during a clean installation of the Windows 2000 operating system. For a given object, permissions apply to that object and all child objects unless the child object is also listed in the table.

Table 13.8 Registry Permissions for Power Users and Users








































































































































































































































Registry ObjectDefault Power User PermissionsDefault User Permissions
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINESOFTWAREModifyRead
HKLMSOFTWAREClasseshelpfileReadRead
HKLMSOFTWAREClasses.hlpReadRead
HKLMSOFTWAREMicrosoftCommand ProcessorReadRead
HKLMSOFTWAREMicrosoftCryptographyReadRead
HKLMSOFTWAREMicrosoftDriver SigningReadRead
HKLMSOFTWAREMicrosoftEnterpriseCertificatesReadRead
HKLMSOFTWAREMicrosoftNon-Driver SigningReadRead
HKLMSOFTWAREMicrosoftNetDDENoneNone
HKLMSOFTWAREMicrosoftOleReadRead
HKLMSOFTWAREMicrosoftRpcReadRead
HKLMSOFTWAREMicrosoftSecureReadRead
HKLMSOFTWAREMicrosoftSystemCertificatesReadRead

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce

ReadRead

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionDrivers32

ReadRead

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionFont Drivers

ReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionFontMapperReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionPerflibRead (via Interactive)Read (via Interactive)
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSeCEditReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTime ZonesReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAsrCommandsReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionClassesReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionConsoleReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileListReadRead
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvchostReadRead
HKLMSOFTWAREPoliciesReadRead
HKLMSYSTEMReadRead
HKLMSYSTEMCurrentControlSetControlSecurePipeServerswinregNoneNone
HKLMSYSTEMCurrentControlSetControlSession ManagerExecutiveModifyRead
HKLMSYSTEMCurrentControlSetControlTimeZoneInformationModifyRead
HKLMSYSTEMCurrentControlSetControlWMISecurityNoneNone
HKLMHARDWARERead (via Everyone)Read (via Everyone)
HKLMSAMRead (via Everyone)Read (via Everyone)
HKLMSECURITYNoneNone
HKEY_USERS
HKEY_USERS.DEFAULTReadRead
HKEY_USERS.DEFAULTSOFTWAREMicrosoftNetDDENoneNone
HKEY_CURRENT_CONFIG= HKLMSystemCurrentControlSetHardwareProfilesCurrent
HKEY_CURRENT_USERFull ControlFull Control
HKEY_CLASSES_ROOT= HKLM SoftwareClasses= HKLM SoftwareClasses

For more information, see the Distributed Systems Guide in the Windows 2000 Server Resource Kit.

/ 335