Holy wow caped crusader. I have never seen that. This prompts a few questions
1. How far back into the OS'es does that work? 2. Why didn't MS publish a method for people to modify those values. Not many people would know how to convert that to something they could work with and then back again. 3. Why isn't this in the KB? 4. What are all of the other reg values in the same functionality? Excellent though, thanks a ton Steve. I will see what I can do with this. I expect I will be brewing up a joeware tool or two to work on these. I may try to make a generic SD modifer tool, you point at the binary store and it yanks out the value and displays it or modifies it. I may actually make, <inshock> a gui! </inshock>. :o) joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Friday, July 16, 2004 11:37 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Share creation permissions You can indeed have a user be a power user - or even an admin, and remove the ability to create shares. Bruce already pointed out, if they are not power users or admins then they already cannot create file\print shares. There is a registry value called SrvsvcShareFileInfo under \lanmanserver\DefaultSecurity which can be edited in order to remove the "right". This is covered in the security FAQ here.. http://www.microsoft.com/windowsserver2003/community/centers/security/securi ty_faq.mspx Share creation restrictions. Access to share operations such as creating a share, changing share information, and deleting a share, are controlled by security descriptors. On a server, administrators can decide who can/cannot perform certain share operations. For example, on a file server, administrators should be able to delegate or remove Power Users to create file shares. The ability to create/delete shares is controlled by a ACE in the security descriptor, where Power Users can be added/removed from the security descriptor to allow or deny the ability. The security descriptors are stored in the registry by SRV service, under LanManServer\DefaultSecurity, as following: . SrvsvcShareFileInfo, REG_BINARY: Permission to control access on file share operation. . SrvsvcSharePrintInfo, REG_BINARY: Permission to control access on print share operation. . SrvsvcShareAdminInfo, REG_BINARY Keep in mind that this is really just security by obscurity, as the admin can obviously just pop him\her self back in there. I guess I would need to determine how smart my end users really were in this case :) my .02 -steve ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 16, 2004 3:10 PM Subject: RE: [ActiveDir] Share creation permissions > Make them normal users. > > > Unfortunately that work is proxied through svchost so you can't lock down by > group other than what MS supplies by default. > > Yes, that is archaic and not very security minded. > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A > Contr InDyne/Enterprise IT > Sent: Friday, July 16, 2004 12:09 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Share creation permissions > > I have a proposed requirement to restrict the ability to create shares on > the workstation to all but a few people within the domain. Anyone have an > idea as to how to do this? > > > > v/r > > RC > > Comments and concerns can be directed back to me, complaints can be directed > to /dev/null List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
