I shouldn't even post this but you can't hurt anyone but yourself doing this stuff theoretically.....
Theoretically you could 1. ACL the shares subkey of the lanmanserver key with full control (or some lower set but it doesn't matter at this point as you are already insecure) to the person in question - though you would want to use a group for best practices... Heh. 2. ACL the lanmanserver services as well as any dependent services to allow stop/start to the admin/group in question. Then also theoretically you could 1. Create a new value under Shares that is named the name of the share you want. It would theoretically need to be a REG_MULTI_SZ 2. The Data in that value would be CSCFlags=0 MaxUses=4294967295 Path=<DISK PATH TO THE SHARE> Permissions=0 Remark=<description of share> Type=0 For security of the share, that theoretically may be kept in the security subkey of the shares subkey. This theoretically may be a well known binary format for security descriptors, it theoretically may not. I would theoretically recommend that having everyone FC on a share is a good thing. Actually no, I like FC on share level perms, makes troubleshooting easier so that part isn't theoretical. Anyway, after that theoretical work, if you then theoretically stop and start the server service (and dependents) the folder may theoretically be shared out. I say this is all theoretical. Again. I say this is theoretical. If you were to theoretically do this and it hurts you badly and your company loses billions. I would say it was cheaper if you would have bought a new server and stop trying to bypass good security practices. Probably the CORRECT way of doing this if you absolutely HAVE to put file shares on a domain controller would be to set up a delegated proxy type web site that has the perms to do this stuff and authenticates people trying to do it and lets them do it only on the machines they should do it on. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Friday, May 21, 2004 11:27 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Security... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm wondering if anyone has accomplished the following: Provided different security policies to multiple DC's within the same domain, but different OU's for field techs to manage resources on just that DC without giving Server Operators rights. I have almost all of the requirements resolved, except the ability to create shares. I have modified the security on the HKLM\System\CurrentControlSet\Services\LanManserver and HKLM\System\ControlSet001\Services\LanManserver with no success. Every document I have read about where the shares definitions are stored are located in these two reg keys. I know the simple way would be to deploy another server to that location and give them local Administrator rights. But, management doesn't want to do this. Thanks for any input, Chris Lynch -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoIr4 BT+9sM9+/PU1ca4fioHgTuMm =k33B -----END PGP SIGNATURE----- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
