2 address Problem:
By using ADUC you may delegate the right to create/delete Shared folder
objects to the group you like.
2 address Bonus Problem:
Do not modify the default share, just create an additional one. On the
"Sharing" tab of the drive just press "new share" and set permissions you
like.
P.s. Hope I understood your problem correctly :)
Alex
MCSE, MCSA Security, CCNA
-----Original Message-----
From: Monrad.DC (at) forces.gc (dot) ca [email concealed] [mailto:Monrad.DC (at) forces.gc (dot) ca [email concealed]]
Sent: Tuesday, September 05, 2006 5:39 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Share Permissions
We have several W2K3 file & print servers maintained by our server team.
I am trying to follow least privileges principles and set up permissions for
our account operators to have the minimum required rights on these servers
to do their jobs.
Done:
1. Create personal folders - No problem, NTFS rights on a folder for user
drives solves this.
2. Set permissions on personal folders - No problem - Full rights for techs
so they can set permissions.
Problem:
Create shares - As far as I can tell, only power users and administrators
have the rights to create shares.
I don't want the account operators to have the additional rights that come
with the power user group.
Bonus Problem:
We have numerous drives holding different shares based on department and
function. Giving the account operators rights to traverse through the root
share on all non -system shares would ease their job. The ability to create
a share using MMC and navigate through the root to the user share is just
one example of this. I have not been able to find a way to effectively
change the permissions on the root share (i.e. F$) without disabling all
admin shares and creating more problems after a reboot or server service
restart.
2 address Problem:
By using ADUC you may delegate the right to create/delete Shared folder
objects to the group you like.
2 address Bonus Problem:
Do not modify the default share, just create an additional one. On the
"Sharing" tab of the drive just press "new share" and set permissions you
like.
P.s. Hope I understood your problem correctly :)
Alex
MCSE, MCSA Security, CCNA
-----Original Message-----
From: Monrad.DC (at) forces.gc (dot) ca [email concealed] [mailto:Monrad.DC (at) forces.gc (dot) ca [email concealed]]
Sent: Tuesday, September 05, 2006 5:39 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Share Permissions
We have several W2K3 file & print servers maintained by our server team.
I am trying to follow least privileges principles and set up permissions for
our account operators to have the minimum required rights on these servers
to do their jobs.
Done:
1. Create personal folders - No problem, NTFS rights on a folder for user
drives solves this.
2. Set permissions on personal folders - No problem - Full rights for techs
so they can set permissions.
Problem:
Create shares - As far as I can tell, only power users and administrators
have the rights to create shares.
I don't want the account operators to have the additional rights that come
with the power user group.
Bonus Problem:
We have numerous drives holding different shares based on department and
function. Giving the account operators rights to traverse through the root
share on all non -system shares would ease their job. The ability to create
a share using MMC and navigate through the root to the user share is just
one example of this. I have not been able to find a way to effectively
change the permissions on the root share (i.e. F$) without disabling all
admin shares and creating more problems after a reboot or server service
restart.
Any help would be appreciated.
Drew
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]