Call it a flaw.  Call it a problem.  Call a bug.  Call it a WAD (works as designed).  But in an case, you should be called crazy if you ever assign Full Control to any group.  Take the example below.  I would bet that 95% of you reading this have a similar situation with your permissions.  Have you every paid attention to those 13 permissions you can allow and deny in Windows 2000 and Windows 2003?  Under NT 4 life was simple: 6 permission to grant access and 1 to take it all away.  However, the crazy idea we are about to show here was alive and well in Windows NT 4.  It was called the "hidden FDC" permission and I only saw it mentioned in 2 books that were published for Windows NT 4.  Even with that no one highlighted the dangers.

Suppose you have the following:

By assigning Full Control to a group of users you are "allowing the inmates to run the prison."  Now, we cannot change the idea of discretionary access control where every resource has an owner and it is his or her discretion who can access his or her file.  What a nice idea to let users control their permissions right?  Wrong.  Permissions in the Windows world are more complicated than the simple RWX for user, group and world found in UNIX.  NT4 had 6 permissions to give access.