inline..

----- Original Message ----- 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, July 17, 2004 5:49 AM
Subject: RE: [ActiveDir] Share creation permissions


> Holy wow caped crusader. I have never seen that. This prompts a few
> questions
>
> 1. How far back into the OS'es does that work? [steve] - looks like Win2k
>
> 2. Why didn't MS publish a method for people to modify those values. Not
> many people would know how to convert that to something they could work
with
> and then back again.  [steve] - I just found that the XP powertoys
(tweakui) can modify these with a GUI
>
> 3. Why isn't this in the KB? [steve] because.... well  long story. But
someone with some free time... ahahah!! Eric! can push one thru :)
>
> 4. What are all of the other reg values in the same functionality? [steve]
Not quite sure I understand the question.. You mean what do are all the
values under DefaultSecurity  and how are they used? I am not sure of this
off the top of my head, but can look into it next week maybe.


>
>
> Excellent though, thanks a ton Steve. I will see what I can do with this.
I
> expect I will be brewing up a joeware tool or two to work on these. I may
> try to make a generic SD modifer tool, you point at the binary store and
it
> yanks out the value and displays it or modifies it. I may actually make,
> <inshock> a gui! </inshock>. :o)
>
>
>   joe
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
> Sent: Friday, July 16, 2004 11:37 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] Share creation permissions
>
> You can indeed have a user be a power user - or even an admin, and remove
> the ability to create shares.
>
> Bruce already pointed out, if they are not power users or admins then they
> already cannot create file\print shares.
>
> There is a registry value called SrvsvcShareFileInfo under
> \lanmanserver\DefaultSecurity which can be edited in order to remove the
> "right".
>
> This is covered in the security FAQ here..
>
http://www.microsoft.com/windowsserver2003/community/centers/security/securi
> ty_faq.mspx
>
>
> Share creation restrictions. Access to share operations such as creating a
> share, changing share information, and deleting a share, are controlled by
> security descriptors. On a server, administrators can decide who
can/cannot
> perform certain share operations. For example, on a file server,
> administrators should be able to delegate or remove Power Users to create
> file shares. The ability to create/delete shares is controlled by a ACE in
> the security descriptor, where Power Users can be added/removed from the
> security descriptor to allow or deny the ability.
> The security descriptors are stored in the registry by SRV service, under
> LanManServer\DefaultSecurity, as following: . SrvsvcShareFileInfo,
> REG_BINARY: Permission to control access on file share operation.
>
>       . SrvsvcSharePrintInfo, REG_BINARY: Permission to control access on
> print share operation.
>
>       . SrvsvcShareAdminInfo, REG_BINARY
>
>
>
>
> Keep in mind that this is really just security by obscurity, as the admin
> can obviously just pop him\her self back in there. I guess I would need to
> determine how smart my end users really were in this case :)
>
>
> my .02
> -steve
>
>
> ----- Original Message -----
> From: "joe" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, July 16, 2004 3:10 PM
> Subject: RE: [ActiveDir] Share creation permissions
>
>
> > Make them normal users.
> >
> >
> > Unfortunately that work is proxied through svchost so you can't lock
down
> by
> > group other than what MS supplies by default.
> >
> > Yes, that is archaic and not very security minded.
> >
> >    joe
> >
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter
Robert
> A
> > Contr InDyne/Enterprise IT
> > Sent: Friday, July 16, 2004 12:09 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] Share creation permissions
> >
> > I have a proposed requirement to restrict the ability to create shares
on
> > the workstation to all but a few people within the domain.  Anyone have
an
> > idea as to how to do this?
> >
> >
> >
> > v/r
> >
> > RC
> >
> > Comments and concerns can be directed back to me, complaints can be
> directed
> > to /dev/null
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to