Hi Monrad, Just my 2p worth, but, coming from a UK security cleared (DV) background, my recommendation would be to vet your staff rather than restricting their access. Access permissions are great, and they do add 30 seconds or so on to any social engineering attack success. Your best bet is to vet your employees, make sure they are kosher, and change their passwords when they leave....
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 September 2006 15:39 To: [email protected] Subject: Share Permissions We have several W2K3 file & print servers maintained by our server team. I am trying to follow least privileges principles and set up permissions for our account operators to have the minimum required rights on these servers to do their jobs. Done: 1. Create personal folders - No problem, NTFS rights on a folder for user drives solves this. 2. Set permissions on personal folders - No problem - Full rights for techs so they can set permissions. Problem: Create shares - As far as I can tell, only power users and administrators have the rights to create shares. I don't want the account operators to have the additional rights that come with the power user group. Bonus Problem: We have numerous drives holding different shares based on department and function. Giving the account operators rights to traverse through the root share on all non -system shares would ease their job. The ability to create a share using MMC and navigate through the root to the user share is just one example of this. I have not been able to find a way to effectively change the permissions on the root share (i.e. F$) without disabling all admin shares and creating more problems after a reboot or server service restart. Any help would be appreciated. Drew --------------------------------------------------------------------------- --------------------------------------------------------------------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.7/437 - Release Date: 04/09/2006 --------------------------------------------------------------------------- ---------------------------------------------------------------------------
