Restricting Microsoft® Windows NT® Account Lists

Microsoft Corporation

Updated April 15, 1999

In Microsoft FrontPage® 98 and later, you can set up a single user and group list for each FrontPage-extended web. Then, when administrators use the FrontPage client to give permissions to administrators, authors, and site visitors, they do not see the full Microsoft Windows NT® account list of the server. This lets you protect the confidentiality of your user community.

To set up restricted Windows NT account lists, do the following:

Set a FrontPage registry key to indicate that you want to restrict Windows NT account lists.
Using the Windows NT User Manager, create a group to contain the account list you want to use. This group must follow the naming convention described in "Naming the Restricted Group," below. You can set up a group for a root FrontPage-extended web or for a nested subweb.
Add the users and groups to the group you created.

Setting the registry key

You can set a global registry key to enable restricted Windows NT account lists for all virtual servers on the Microsoft Internet Information Server (IIS) server, or you can restrict Windows NT account lists for any single servers.

To globally enable Windows NT computer account list restrictions, set the value of the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports\RestrictIISUsersAndGroups to 1.
To enable Windows NT computer account list restrictions for a specific virtual server, set the value of the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\Ports\Port port name\RestrictIISUsersAndGroups to 1.

You can set the global RestrictIISUsersAndGroups to 0 to globally disable restrictions, and then you can override the setting on specific virtual servers.

Naming the restricted group

If user and group restrictions are enabled for a given FrontPage-extended web, the server extensions look for a Windows NT group named with the following convention:

FP_[VirtualServer][_Directories][_Subweb]

On a multihosted IIS2.0/3.0 machine, [VirtualServer] is the server's IP address and port number combination, and [_Directories][_Subweb] is the URL of the subweb. An example for the root web is FP_172.17.123.255:80. For a subweb, an example is FP_172.17.123.255:80_directory1_MySubWeb1_directory2_MySubWeb2. This is the nested subweb at the URL http://172.17.123.255:80/directory1/MySubWeb1/directory2/MySubWeb2. On a single-hosted machine, [VirtualServer] is the port number. For example, FP_80 is the virtual server at port 80 when this port is not specifically bound to an IP address in the Internet Service Manager.

On IIS 4.0 and later, [VirtualServer] can be of the form /LM/W3SVC/N, where N is an instance number. An example of this form for a root web is FP_/LM/W3SVC/1. An example for a subweb of this virtual server is FP_/LM/W3SVC/1_MySubWeb. Another variation of this form is to use the host name. For a root web, an example is FP_www.microsoft.com:80, and for a subweb, FP_www.microsoft.com:80_MySubWeb. On a single-hosted machine, [Virtual Server] could be configured as the port number, as in FP_80. The other IIS 4.0 options will work in this case as well.

If restrictions are enabled on a subweb but no local group is defined, the FrontPage Server Extensions look for the group of the parent web and use it, if it exists. This is repeated recursively if the subweb is nested within another subweb. If no appropriately named group is found, then no restriction is placed on permissions.