What are the rules for NTFS permissions on Win2k TS with Metaframe? |
 |
EXPERT RESPONSE FROM: Roberta Bragg
|
|
|
| > |
QUESTION POSED ON: 23 September 2002
What is the guideline for setting NTFS permissions on a Windows 2000 Server Terminal Services with Citrix MetaFrame 1.8? I have been told by Microsoft technical support NOT to mess with the group "Everyone," to leave permissions at default and create a new group and restrict NTFS permissions to that group. Does that sound correct? I have been told you cannot set the permissions like you could in NT 4.0 Terminal Server Edition. Is that correct?
|
|
| > |
There appears to be more than one issue here:
- Since you say you were told to create a new group and restrict NTFS permissions to that group, I'm assuming you want to restrict access by setting deny permissions. If this is so, then yes, create the group and set "deny permissions" for it. You cannot deny access to the Everyone group; if you do so, you will do just that, deny access to everyone.
Since deny access is usually applied first, no amount of "allow access" will override this. Instead, grant "allow access" to those who need access. Those without access will be denied by default. The "deny access" permissions help with more granular access restrictions, but Windows 2000, like NT, does not grant access to anyone implicitly.
- What access do you wish to adjust? System access? Data file access? As you know, in some areas, the group Everyone is explicitly given access. In many cases you can remove this access, but you must make sure to replace it by giving the SYSTEM and appropriate users access explicitly. You should always use caution when doing this, and do so on test systems. I am unable to find out if Citrix Metaframe also requires explicit access to areas, where it is getting that access because of default group "everyone." If this is so, then if you could determine where that is necessary, then you can make the appropriate adjustments. I suggest you work with your Citrix support to determine if this is possible.
- Windows 2000 is different than Windows NT 4.0 Terminal Server edition, and that may be the cause of some problems. Permissions set on the system files are not the same. This could be the answer here. You cannot merely set permissions in Windows 2000, as you may have in Windows NT.
- It's always easier to just leave the defaults. I know of no explicit reason why you cannot make some adjustments to file permissions, but there is no easy answer here. As always, you must determine what access is required before you blithely change access. Depending on where you wish to change permissions, you may need to know the access required by Windows, Citrix Metaframe and user accounts.
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
