Access rights

[WesFlash]

Yesterday, I re-formatted because I locked out my Administrator account from Disk 0, and had no paging file as well. After about an hour of making attempts to correct the problem, I formatted. I gave up, but I knew that would fix it. What could I have done to correct the problem? I am new to professional OSes, and I am not going back to Win9x. That said this is what started it all. I have a guest in my house and I set up an account for her on my computer. I have my own account and administrator. My wife, who rarely connects to my computer from her computer, also has an account. All 3 of us are set up as power users. I have 2 hard drives. Drive D: had some material I did not want anyone to see. One of the power users used the WMP to search for media files and found a few that were offensive. I wanted to keep them from being able to find them and play them. I made some security changes to that person's account. The next day she access it again. So, I restricted everybody but the adminstrator. I've got kids and figured I had to learn this anyway. So, I restricted access by adding the username and selecting deny to the security of the drive. Only the administrator account had full access. MY acccount for my name was, oops, also an administrator as well as power user. When I made the changes to the security settings, I received a warning that it may have undesireable effects. But, like a dummy, I figured that it would not lock the administrator out too.
I figure I should have used group restrictions instead of by name, but can I get it to work with just named accounts? Should I make a group based on the name because each person will need different access?

[shaolindave]

Is your file system NTFS or FAT32? If it is NTFS, 1)Always add users to security groups first. Add the security groups to the ACL then assign permissions for specific access to target objects (C: drive, Folders...) 2)Never use use the DENY check box in the ACL. Restrict permissions but not giving permissions. Once you add what groups you want to access drives and folders (admins, power users,....) remove the "everyone" groupfrom the ACL.
When you used the DENY restriction to that user, that user was a memeber of the everyone group and the DENY propogated to users in the everyone group, including "oops". I hope this helps brotha man!!

[WesFlash]

Thanks Shaolin, I think that answers what I was suspecting. I will give that a try.

[TeddyRuxspin]

Right then

I hope i got this right cos it a biggy.

Couple of tips i have learnt.
To get rights back on files you need to log in as admin or admin group account and take ownership. then you can modify settings. As for your accounts....

Copy the admin account and make it your normal everyday one. Give everyone else power user accounts except the kids - give them normal users unless you think they can be trusted.
I have found the default setting adequate for our users here (got about 1000) and we rarly have much trouble. Power users are handy as you are able to adjust you display settings etc.
As for the files you wish to hide. Make a share on the drive called something restricted$ and name the fold something similar.
The $ is important as it makes the share hidden. Under this share put all your stuff and set permissions so only admins have access. That way if anyone tries to access the folder it will tell then they have no access and wont be able to view contents (change or full is good enough). Been a hidden share it wont appear in network neighbourhood just remember to call it something like systemsetting$ and not MyDodgyMovies$ cos its ovious what you got in it.

Hope this helps if not post again and i will give you some more info

[Fubarian]

since your new to 2k - I HIGHLY recommend going to technet. They got plenty of stuff for morons like me <IMG SRC="smilies/biggrin.gif" border="0"> and the psycho all knowning admins.

Also NSA just released a couple of docs on securing 2k that are really freakin nice. When I get the url, I'll post it.

[Fubarian]

ok, got it...

www.nsa.gov/winsecurity/index.html

where they are exactly, I'm not sure, but they are in pdf format.