3
When I add a new user to Windows (7 or Server 2k8) and I make it a member of the Administrators group, does it matter if I keep or remove the Users membership? Most of the time I remove the Users membership since it seems redundant, but does it matter?
kenwarner
Posted 2010-11-14T02:05:40.523
Reputation: 1 987
5
It matters in so much as Deny privileges take precedence over Allow. If your Users have a Deny permissions on anything, their Administrator membership will not allow them access to the resource. You can test this on Users by creating a deny permission to list contents of a folder, you will get the following warning dialog:
---------------------------
Security
---------------------------
You are setting a deny permissions entry. Deny entries take precedence over allow entries. This means that if a user is a member of two groups, one that is allowed a permission and another that is denied the same permission, the user is denied that permission.
Do you want to continue?
---------------------------
Yes No
---------------------------
So unless you plan to NEVER assign a Deny to Users, remove Administrators from the Users group.
Robert Kerr
Posted 2010-11-14T02:05:40.523
Reputation: 693
1It doesn't matter. As part of the Administrators' group, you can do anything on the machine anyway. If you really feel the need to remove the user from the Users group, then do so. – None – 2010-11-14T04:30:36.717