Compartir a través de


Best practices for permissions and user rights

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices for permissions and user rights

Assign permissions to groups rather than to users

  • Because it is inefficient to maintain user accounts directly, assigning permissions on a user basis should be the exception.

Deny permissions should be used for certain special cases

  • Use Deny permissions to exclude a subset of a group which has Allowed permissions.

  • Use Deny to exclude one special permission when you have already granted full control to a user or group.

Use security templates

  • Rather than set individual permissions, use security templates whenever possible. For information on security templates, see Security Templates.

If possible, avoid changing the default permission entries on file system objects, particularly on system folders and root folders

  • Changing default permissions can cause unexpected access problems or reduce security.

Never deny the Everyone group access to an object

  • If you deny everyone permission to an object, that includes administrators. A better solution would be to remove the Everyone group, as long as you give other users, groups, or computers permissions to that object.

Assign permissions to an object as high on the tree as possible and then apply inheritance to propagate the security settings through the tree

  • You can quickly and effectively apply access control settings to all children or a subtree of a parent object. By doing this, you gain the greatest breadth of effect with the least effort. The permission settings you establish should be adequate for the majority of users, groups, and computers.

Privileges can sometimes override permissions

  • Privileges and permissions may disagree, and you should know what happens if they do. For more information, see Privileges.

For permissions on Active Directory objects, make sure you understand the best practices specific to Active Directory objects