Hello forum, My question revolves around ntfs permissions.....As part of normal installation\configuration of our windows servers is to remove the everyone group from certain programs(cmd.exe, regedit.exe, etc...)...However, when I attempt to remove said group I get access denied error and the only way I have worked around this is to take ownership from Trusted Installer user...I am logged in as admin.....Win2K3 was a simple click of the remove button....any help will b appreciated Thanks, Mark

Hi, There are several security changes in Windows Server 2008 compared with Windows Server 2003. In Windows Server 2003, the logon administrator has full control of operating system files.But in the Windows Server® 2008 and Windows Vista® operating systems, most of the operating system files are owned by the TrustedInstaller security identifier (SID), which is the only SID that has full control over them. The purpose is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. Thus in order to make changes on these operating systems files in Windows Server 2008, you need to take ownership of TrustedInstaller. Moreover, the Everyone group has the same permissions to the Buitin\users in Windows Server 2003. But the Everyone group is removed in Windows Server 2008. For more information, please visit the following documents: What's New for Access Control in Windows Server 2008 Best Regards DalePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you Dale, so I am assuming the only way to modify a system file is to take ownership of file as admin from the trusted installer and then modify? Mark

Other than take ownership of Trusted installer, alternatively, the built-in administrator account has the read, write and delete permissions on most of operating system files. You can enable the built-in administrator account to perform the modification. To enable the built-in administrator account, launch a command prompt in elevated privilege, type the following command: net user administrator /active:yes Best Regards Dale Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

thank you Dale