Many Windows NT 3.51 users and even some administrators have a hard time understanding the difference between user rights and permissions. Although the purpose of both is to provide security for files, directories, the system itself, and other shared resources, user rights and permissions function very differently. The primary difference between them is that user rights authorize users to perform system-specific actions such as backing up the system, whereas permissions allow varying degrees of user access to files, directories, and other resources or objects.

For example, let's say user account BOB is a member of only two local groups, Domain Users and Accounting, on the Primary Domain Controller (PDC) for his domain. And let's say that the User Rights Policy menu, which you see in Screen 1, shows only two entities, Administrators and Domain Users, as having the Log on Locally right. Because BOB is a member of at least one of these groups (Domain Users), he can log on at the PDC. The underlying principle with user rights is that if a user is a member of at least one group that has a specific right, the system will grant the user that right, no matter how many other groups the user belongs to that do not have that right.

Permissions work a little differently. (The Directory Permissions menu is in Screen 2.) Permissions let users and groups have varying degrees of access to resources. For instance, a user can have permission to read and copy a file but not to edit or delete it. Microsoft designed the permissions paradigm so that user access to a resource is a combination of the most restrictive permissions that a user has acquired through group membership plus any permissions directly assigned to this user's account.

The catch arises if the user is a member of any group that has the No Access permission. In this case, the system revokes all permissions to that file or directory, regardless of the permissions that user has through membership in other groups.

This situation means that for a user to gain a level of access to a resource such as a file, directory, or printer, the user's permissions must meet two conditions. First, either the user's account must have explicit permission, or one or more of the groups the user belongs to must have explicit permission. The group permission can be assigned to one group. Or the group permission can exist as a combination of the most restrictive of lesser permissions granted to multiple groups, as long as all contributing groups are in the permissions list for that resource. Second, the No Access permission must not be assigned to either the user account or any contributing groups that the user belongs to.

Although user rights and permissions involve bit of a learning curve, they can provide an effective level of security for resources on your NT domain if you take the time to learn how to use them.


What About Alpha Support?
The Windows NT Magazine Reader to Reader section says one of its goals is to get Microsoft's attention. Well, I've tried everything from posting to Microsoft newsgroups to emailing Bill Gates to find out whether Microsoft plans to support FrontPage Server Extensions on the Digital Alpha platform. To date, I haven't received a satisfactory answer, so I'm writing this open letter to Microsoft in hope of receiving a response.

Dear Bill Gates,

I am a Microsoft Certified Systems Engineer (MCSE), and I support Digital Alpha-based Windows NT servers. My organization has invested heavily in Digital's Alpha technology and Microsoft NT, believing this combination would make an unbeatable tandem to provide network services for our internal staff and external customers.

When Internet Information Server (IIS) came out, we were excited because we saw the opportunity to migrate our UNIX-based Internet service, Industry Connect (www.ncms.org), to NT and base our system entirely on NT. We were further encouraged after testing Microsoft's FrontPage Server Extensions. At last, here was a powerful tool for managing our Web site.

The idea was great. Unfortunately, server extensions are available only for the Intel i386 or higher platform, Sun workstations (SPARC architecture), IRIX 5.3 (Silicon Graphics), HP/UX 9.03 (Hewlett-Packard), BSD/OS 2.1 (BSDi UNIX on Intel architecture), NT, and Windows 95.

What about the NT Digital Alpha platform? Microsoft provides server extensions for UNIX-based servers and platforms but ignores the Alpha. What happened to the Microsoft-Digital alliance that was in the news a few months ago? For companies requiring top-notch performance and reliability, the choice is clear--Alphas offer unmatched performance and reliability for mission-critical applications and services.

We run Microsoft Exchange Server, Systems Management Server (SMS), SQL Server 6.5, and IIS. We are totally dedicated to Microsoft technology because it lets us provide unparalleled services. However, we are extremely disappointed in Microsoft's lack of support for FrontPage IIS Server Extensions for NT Alpha.

All our attempts to find out when to expect Alpha server extensions have been fruitless. Please let the manager of the FrontPage project know that the project's lack of support for Alpha-based systems is hampering customers.

Thank you for your time.