3. You can you use your special MVP powers to write one. ;)
--brian
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Sat 7/17/2004 7:49 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] Share creation permissions
Holy wow caped crusader. I have never seen that. This prompts a few
questions
1. How far back into the OS'es does that work?
2. Why didn't MS publish a method for people to modify those values. Not
many people would know how to convert that to something they could work with
and then back again.
3. Why isn't this in the KB?
4. What are all of the other reg values in the same functionality?
Excellent though, thanks a ton Steve. I will see what I can do with this. I
expect I will be brewing up a joeware tool or two to work on these. I may
try to make a generic SD modifer tool, you point at the binary store and it
yanks out the value and displays it or modifies it. I may actually make,
<inshock> a gui! </inshock>. :o)
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick
Sent: Friday, July 16, 2004 11:37 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Share creation permissions
You can indeed have a user be a power user - or even an admin, and remove
the ability to create shares.
Bruce already pointed out, if they are not power users or admins then they
already cannot create file\print shares.
There is a registry value called SrvsvcShareFileInfo under
\lanmanserver\DefaultSecurity which can be edited in order to remove the
"right".
This is covered in the security FAQ here..
http://www.microsoft.com/windowsserver2003/community/centers/security/securi
ty_faq.mspx
Share creation restrictions. Access to share operations such as creating a
share, changing share information, and deleting a share, are controlled by
security descriptors. On a server, administrators can decide who can/cannot
perform certain share operations. For example, on a file server,
administrators should be able to delegate or remove Power Users to create
file shares. The ability to create/delete shares is controlled by a ACE in
the security descriptor, where Power Users can be added/removed from the
security descriptor to allow or deny the ability.
The security descriptors are stored in the registry by SRV service, under
LanManServer\DefaultSecurity, as following: . SrvsvcShareFileInfo,
REG_BINARY: Permission to control access on file share operation.
. SrvsvcSharePrintInfo, REG_BINARY: Permission to control access on
print share operation.
. SrvsvcShareAdminInfo, REG_BINARY
Keep in mind that this is really just security by obscurity, as the admin
can obviously just pop him\her self back in there. I guess I would need to
determine how smart my end users really were in this case :)
my .02
-steve
----- Original Message -----
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 16, 2004 3:10 PM
Subject: RE: [ActiveDir] Share creation permissions
> Make them normal users.
>
>
> Unfortunately that work is proxied through svchost so you can't lock down
by
> group other than what MS supplies by default.
>
> Yes, that is archaic and not very security minded.
>
> joe
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert
A
> Contr InDyne/Enterprise IT
> Sent: Friday, July 16, 2004 12:09 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Share creation permissions
>
> I have a proposed requirement to restrict the ability to create shares on
> the workstation to all but a few people within the domain. Anyone have an
> idea as to how to do this?
>
>
>
> v/r
>
> RC
>
> Comments and concerns can be directed back to me, complaints can be
directed
> to /dev/null
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
