What are the guidelines for setting NTFS permissions on Win2k Terminal Services with Citrix Metafram

What are the guidelines for setting NTFS permissions on Win2k Terminal Services with Citrix Metafram

What is the guideline for setting NTFS permissions on a Windows 2000 Server Terminal Services with Citrix MetaFrame 1.8? I have been told by Microsoft technical support NOT to mess with the group "Everyone," to leave permissions at default and create a new group and restrict NTFS permissions to that group. Does that sound correct? I have been told you cannot set the permissions like you could in NT 4.0 Terminal Server Edition. Is that correct?

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchEnterpriseDesktop.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchEnterpriseDesktop.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

There appears to be more than one issue here:

  1. Since you say you were told to create a new group and restrict NTFS permissions to that group, I'm assuming you want to restrict access by setting deny permissions. If this is so, then yes, create the group and set "deny permissions" for it. You cannot deny access to the Everyone group; if you do so, you will do just that, deny access to everyone.

    Since deny access is usually applied first, no amount of "allow access" will override this. Instead, grant "allow access" to those who need access. Those without access will be denied by default. The "deny access" permissions help with more granular access restrictions, but Windows 2000, like NT, does not grant access to anyone implicitly.

  2. What access do you wish to adjust? System access? Data file access? As you know, in some areas, the group Everyone is explicitly given access. In many cases you can remove this access, but you must make sure to replace it by giving the SYSTEM and appropriate users access explicitly. You should always use caution when doing this, and do so on test systems. I am unable to find out if Citrix Metaframe also requires explicit access to areas, where it is getting that access because of default group "everyone." If this is so, then if you could determine where that is necessary, then you can make the appropriate adjustments. I suggest you work with your Citrix support to determine if this is possible.

  3. Windows 2000 is different than Windows NT 4.0 Terminal Server edition, and that may be the cause of some problems. Permissions set on the system files are not the same. This could be the answer here. You cannot merely set permissions in Windows 2000, as you may have in Windows NT.

  4. It's always easier to just leave the defaults. I know of no explicit reason why you cannot make some adjustments to file permissions, but there is no easy answer here. As always, you must determine what access is required before you blithely change access. Depending on where you wish to change permissions, you may need to know the access required by Windows, Citrix Metaframe and user accounts.

This was first published in September 2002

Back to top