Announcement

Collapse
No announcement yet.

NTFS permissions on local machine for people logging into a domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NTFS permissions on local machine for people logging into a domain

    Hi there

    I am all new to AD, so bear with me.

    I have set up an AD on a win2k8 machine. First time people logs onto the domain (using win XP), i will install various programs on their machine using the software installation mechanism in AD. This makes the machine ready to be used in our company. From then on, whenever the user logs on to the computer (and my domain), the user should recieve ntfs permissions similar to a local "limited" user.

    How can I do this? Or did I misunderstood the use of AD?

    Thanks in advance,

  • #2
    Re: NTFS permissions on local machine for people logging into a domain

    Hi,
    The security mechanism of windows, in short, works like this:

    When a domain user logs on to a computer, Windows queries the Domain Controllers for authentication and creates a token for the user.
    The token includes the Security Identifiers (SIDs) of the user and all the security groups he belongs to (including some well known security contexts such as 'EVERYONE', etc)

    This token will be assigned to the user's session until he logs off (and terminates the logon session).

    When a user tries to access an NTFS securable object (Such as directory, file, registry key, etc), Windows compares the user's token with the 'Access Control List' (ACL) of the object. The ACL is actually what you see when you right click a file / folder --> properties --> Security --> Advanced. Each entry in the ACL is called 'ACE' (Access Control Entry). An ACL should look something like this:
    ------------------------------------------------------------------
    Administrators --> Full Control --> This folder, sub folders and files
    Users --> Read only --> This folder, sub folders and files
    ------------------------------------------------------------------

    If Windows finds a match (i.e one or more of the SIDs in the token matches the SIDs in the ACL) windows grant or denies access to the resource according to the information of the relevant ACE.

    If you left the NTFS permissions of local machine as default, and the domain user is not part of the local Adminsitrators group on the computer, then the user's security is similar to a "normal" local user.
    Hope that answers your Q.

    Comment

    Working...
    X