Windows 2003/2000 permission configuration

Windows permissions are a seemingly simple, but very difficult, problem.
There are a lot of friends who come to the network to ask questions that are a problem, including our own sometimes may also be a bit confused.
What I'm going to write today is the permissions under Windows. Interested friends have a look.
This method is successfully implemented under 2K/XP/2K3. Because Vista is not very mature now, not too popular. I have been in the hands of the vista although a lot of time. There was a brief analysis in this area. It's not good to write. So let's not say Vista permission today. Please do not be laughed at. Because I have been trying myself. So please you have interested friends to teach, I am also a rookie, Master will not come to jokes. Thank you.
A. Pre-installation preparation of the system:
A system disk is required. Ghost Plate is also available. C disk in FAT32 format. Other disks are formatted in NTFS. If the hard drive in more than 60G friends, no other special requirements, I suggest that C disk is divided into 10G. Partitions in three to four for good. Because the system is easy to install.
B. System post-Installation adjustments:
After the system installation, we have to do other optimization debugging,
Speed up the video card, sound card. Set PF. Transfer IE COOKIES my document. Guest is renamed as the other.
Change Administrator to Admin
Turn on Shutdown event tracking
Open the CAD key. (If it is a special bead user, you can adjust the automatic login: start: Run: Ctrol userpasswords2 to select Users, in order to log on this machine must have the password before the check out, fill in the login password)
Make some common settings in the gpedit.msc. For example, you don't want to have any files running and you can join them. For example, PP.BT.THUNDER (according to a hobby to modify, I will not say more)
optimization and temporary security. I use the software are: TWEAKUI. EXE (Internet Café column in the strongest one has downloaded DL Tweakui.exe), 360 Security Defender (DL 360 safer), the others are implemented manually. (These two software is quite useful, I do not introduce) is the system must use.
The need to say is: The system to build two super users. Two user users (easy to adjust permissions, and prevent viruses, then set PF for this last user) Note: Generally speaking, individual users use the tube, and other friends, if necessary, must use user, This will not install any anti-virus software. Because we use a different PF. Let's say we have userz.userx. We are currently using: Userx, if the system is poisoned. We are logged in as admin. del Userx log on as a different user.
Optimize service:
##################################################
sc config Browser start= demand
sc config cryptsvc start= demand
sc config Dfs start= demand
sc config DnsCache start= demand
sc config helpsvc start= demand
sc config Nla start= disabled
sc config Spooler start= demand
sc config RemoteRegistry start= demand
sc config Seclogon start= demand
sc config LanManServer start= demand
sc config shellhwdetection start= disabled
sc config Schedule start= demand
sc config Lmhosts start= demand
sc config W32Time start= demand
sc config wzcsvc start= demand
attrib +r +s +h c:boot
####################################################
Cancel disk space Reminders:
Windows Registry Editor Version 5.00

[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliciesexplorer]
"NoLowDiskSpaceChecks" =dword:00000001
Open sharing:
Windows Registry Editor Version 5.00

[Hkey_local_machinesystemcurrentcontrolsetserviceslanmanserverparameters]
"AutoShareServer" =dword:00000001
"AutoShareWks" =dword:00000001
I set it to open.
Disable System Restore: (also this can be implemented in Gpeidt: Computer Configuration: admin Template: System: System Restore:)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Ntcurrentversionsystemrestore]
"DISABLESR" =dword:00000001
Speed up the boot speed: (My Computer: properties: Advanced: Boot and Recovery: boot.) ini>time=0)
Windows Registry Editor Version 5.00

[Hkey_current_usercontrol Paneldesktop]
"Waittokillapptimeout" = "100"

Modify Port:
Modify the 3389 remote connection port to modify the registry. Start--run--regedit expand hkey_local_machine/system/currentcontrolset/control/terminal server/wds/rdpwd/tds/tcp Right key value in sequence PortNumber change to the port number you want to use. Note the use of decimal (example 10000) hkey_local_machine/system/currentcontrolset/control/terminal SERVER/ winstations/rdp-tcp/the portnumber to the port number you want to use in the right key value. Note The use of decimal (example 10000) Note: Do not forget the firewall on the WINDOWS2003 with + 10000 ports

Backup a registry file, the key time to use: (EXE file association)
Windows Registry Editor Version 5.00

[Hkey_classes_rootexefileshellopencommand]
@= ""%1 "%*"
Then start running: cmd
Regsvr32/u Zipfldr.dll
Sfc/purgecache
After---------------------------------------------------------------------------------------------
@echo off
Color 1f
echo Zhang Xiangli is clearing the system garbage file, please wait for qq:25335167 ....
del/f/s/q%systemdrive%*.tmp
del/f/s/q%SYSTEMDRIVE%*._MP
del/f/s/q%systemdrive%*.log
del/f/s/q%systemdrive%*.gid
del/f/s/q%systemdrive%*.chk
del/f/s/q%systemdrive%*.old
del/f/s/q%systemdrive%recycled*.*
del/f/s/q%windir%*.bak
del/f/s/q%windir%prefetch*.*
RD/S/q%windir%temp & MD%windir%temp
del/f/q%userprofile%cookies*.*
del/f/q%userprofile%recent*.*
del/f/s/q d:temporary Internet files*.* "
del/f/s/q "%userprofile%local settingstemp*.*"
del/f/s/q "%userprofile%recent*.*"
Echo Clearance System LJ completes, so tired, go to the htpp://bbs.bitscn.com to play, the first ~
Echo. & Pause
---------------------------------------------------------------------------------------------
The above save as a bat file, you can add a shutdown script.
Edit the Hosts file:
Here are some of my own add:
0.0.0.0 www.ebay.com
0.0.0.0 download.cnnic.com
0.0.0.0 download.3721.com
Then the key EXE and console files are renamed: such as regedit cmd gpedit ftp tftp Secpol diskmgmt, and other important systems related to security files renamed: So since I have to write down, Don't remember it yourself. After that, the C disk is disabled from Group Policy. Prohibit access through the address bar. Now let's talk about permission.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Windows User introduction:
Administrators, the Administrators group, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted people can become members of the group.
Power Users, advanced user groups, Power users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify the settings for the entire computer. However, Power Users do not have the right to add themselves to the Administrators group. In permission settings, the permissions of this group are second to administrators.

Users: Normal user group, the user of this group cannot make intentional or unintentional changes. As a result, users can run validated applications, but they cannot run most legacy applications. The Users group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user data. The Users Group provides an environment in which the most secure programs run. On NTFS-formatted volumes, the default security setting is designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot register settings, operating system files, or program files. Users can shut down the workstation, but not the server. Users can create local groups, but can only modify local groups that they create.

Guests: Guest group, by default, guests have equal access to members of the regular users, but the Guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.
Depending on your needs, if you have a file to write to frequently then please leave a disk that you can write to. Please write the user is not the current Superuser {For example, the current login is admin, the other is the server, please specify the user to write: server. Full Control. This is writable.
Of course, if you have important EXE files other than C disk do not want to let others run.
Then click on this file right: attribute security, specify a not current user's super tube, Full control,
And then when you click on it, there's no file found. So we'll run as: User: The password is ready to run.
Then we set up the big side of the permission: only one everyone, because this user already includes authenticated: Guest user. Read Only
(Note that here is a read-only, removed in the high authority, the right to inherit. Leave only one read-only)
Now you have the right to transfer the disk, the copy of the key is gray. Delete Does not work
(Of course you can remove security options in Group Policy: User management: Windows Components: Resource Manager: If you have to be cacls in CMD.) Specific usage:
[/T] [/e] [/C] [/g User:perm] [/R user [...]] [/P User:perm [...]] [/d User [...]]

filename--Display access list (hereinafter referred to as ACL);

/t--changes the ACLs for the specified files in the current directory and all subdirectories;

/e--edit ACLs without replacing;

/c--continues when a denial of access error occurs;

/g user:perm--gives the specified user access rights. Perm can be R (read), W (write), C (change, write), F (Full Control);

/R user--Revoke the access rights of the specified user (used only with/e);

/P user:perm--replaces the access rights of the specified user;/d user--denies access to the specified user.
Instance one: Viewing access control permissions for a folder

For example, here we want to view access control permissions for the H:temp folder, so just type the following command in the start → Run dialog box or switch to command prompt mode: Cacls h:temp

At this point, we see all user groups and user access control rights for the H:temp folder, the CI indicates that the ACE is inherited by the directory, and the OI indicates that the ace is inherited by the file, and IO indicates that ACI does not apply to the current file or directory, and that the letters at the end of each line represent control rights, such as F for Full Control, c indicates a change, and W represents a write.

If you want to view access control permissions for all files in this folder, including files in subfolders, type Cacls h:temp. Command.

Example two: Modifying access control permissions for a folder

If you want to give local users BITSCN Full control over the access to all files in the H:temp folder and subfolders, simply type the following command:

Cacls h:temp/t/e/c/g bitscn:f

"/T" here means modifying ACLs for all files in the folder and subfolders./e "indicates that editing is done without replacing, and"/C "means continuing when an Access Denied error occurs, and"/g bitscn:f "means giving the local user Bitscn Full control, where" F " On behalf of full control, if just want to give Read permission, then should be "R".

Example THREE: Revoke access control rights for a user

If you want to revoke access control permissions on the H:temp folder and its subfolders, you can type the following command: BITSCN

cacls h:temp/t/e/c/R BITSCN

If you are simply denying access to a user, you can type the following command:

cacls h:temp/t/e/c/d BITSCN
. So now you can just install a 360来 to run the system.
If you want to run the system with NTFS then; C disk is the same as the above settings. However, the key file you use RunAs, do not rename the
of course, the higher the system's permissions, the more trouble.