inline.. ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, July 17, 2004 5:49 AM Subject: RE: [ActiveDir] Share creation permissions
> Holy wow caped crusader. I have never seen that. This prompts a few > questions > > 1. How far back into the OS'es does that work? [steve] - looks like Win2k > > 2. Why didn't MS publish a method for people to modify those values. Not > many people would know how to convert that to something they could work with > and then back again. [steve] - I just found that the XP powertoys (tweakui) can modify these with a GUI > > 3. Why isn't this in the KB? [steve] because.... well long story. But someone with some free time... ahahah!! Eric! can push one thru :) > > 4. What are all of the other reg values in the same functionality? [steve] Not quite sure I understand the question.. You mean what do are all the values under DefaultSecurity and how are they used? I am not sure of this off the top of my head, but can look into it next week maybe. > > > Excellent though, thanks a ton Steve. I will see what I can do with this. I > expect I will be brewing up a joeware tool or two to work on these. I may > try to make a generic SD modifer tool, you point at the binary store and it > yanks out the value and displays it or modifies it. I may actually make, > <inshock> a gui! </inshock>. :o) > > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick > Sent: Friday, July 16, 2004 11:37 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] Share creation permissions > > You can indeed have a user be a power user - or even an admin, and remove > the ability to create shares. > > Bruce already pointed out, if they are not power users or admins then they > already cannot create file\print shares. > > There is a registry value called SrvsvcShareFileInfo under > \lanmanserver\DefaultSecurity which can be edited in order to remove the > "right". > > This is covered in the security FAQ here.. > http://www.microsoft.com/windowsserver2003/community/centers/security/securi > ty_faq.mspx > > > Share creation restrictions. Access to share operations such as creating a > share, changing share information, and deleting a share, are controlled by > security descriptors. On a server, administrators can decide who can/cannot > perform certain share operations. For example, on a file server, > administrators should be able to delegate or remove Power Users to create > file shares. The ability to create/delete shares is controlled by a ACE in > the security descriptor, where Power Users can be added/removed from the > security descriptor to allow or deny the ability. > The security descriptors are stored in the registry by SRV service, under > LanManServer\DefaultSecurity, as following: . SrvsvcShareFileInfo, > REG_BINARY: Permission to control access on file share operation. > > . SrvsvcSharePrintInfo, REG_BINARY: Permission to control access on > print share operation. > > . SrvsvcShareAdminInfo, REG_BINARY > > > > > Keep in mind that this is really just security by obscurity, as the admin > can obviously just pop him\her self back in there. I guess I would need to > determine how smart my end users really were in this case :) > > > my .02 > -steve > > > ----- Original Message ----- > From: "joe" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, July 16, 2004 3:10 PM > Subject: RE: [ActiveDir] Share creation permissions > > > > Make them normal users. > > > > > > Unfortunately that work is proxied through svchost so you can't lock down > by > > group other than what MS supplies by default. > > > > Yes, that is archaic and not very security minded. > > > > joe > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert > A > > Contr InDyne/Enterprise IT > > Sent: Friday, July 16, 2004 12:09 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Share creation permissions > > > > I have a proposed requirement to restrict the ability to create shares on > > the workstation to all but a few people within the domain. Anyone have an > > idea as to how to do this? > > > > > > > > v/r > > > > RC > > > > Comments and concerns can be directed back to me, complaints can be > directed > > to /dev/null > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
