Hmmm, seems like when I remove a user from a group that it locks them out of it pretty and without any restart\update.... weird.
Thanks, Devin Rich Systems Administrator On Wed, May 4, 2016 at 11:05 AM, Kennedy, Jim <kennedy...@elyriaschools.org> wrote: > Group membership is included in the users Kerberos TGT, so they will still > have that when they hit the share. > > > > *From:* listsadmin@lists.myitforum.com [mailto: > listsadmin@lists.myitforum.com] *On Behalf Of *Devin Rich > *Sent:* Wednesday, May 4, 2016 12:58 PM > *To:* powersh...@lists.myitforum.com > *Subject:* Re: [powershell] RE: Server 2008 R2 > > > > An alternative idea. If you determine that a user account is running > ransomware, make your script immediately take note of all groups that the > user is in and then remove them from all groups. > > > > Every share where that user is a part of a group that has access will stop > accepting read or write requests (assuming no "everyone" access). Any share > where that user has explicit permissions won't be affected however. In our > company, almost no one has any personal preferences set, so this would work > just fine for us. Might not work at all for you. > > > Thanks, > > > > Devin Rich > > Systems Administrator > > > > On Wed, May 4, 2016 at 10:25 AM, Wolf, Daniel <da.w...@neopost.com> wrote: > > Unfortunately the way authentication works, disabling an account only > works once the Kerberos ticket is refreshed, which will likely be hours. > The account must be disabled and the computer rebooted/signed off for it to > prevent access. > > > > *From:* listsadmin@lists.myitforum.com [mailto: > listsadmin@lists.myitforum.com] *On Behalf Of *Lemmiksoo, Todd > *Sent:* Wednesday, May 4, 2016 10:40 AM > *To:* 'powersh...@lists.myitforum.com' <powersh...@lists.myitforum.com> > *Subject:* [powershell] RE: Server 2008 R2 > > > > What my I am trying to do is lock the users AD account if they have been > infected with ransomeware and are encrypting files on our Windows Server > 2008R2 file server. I have setup FSRM to monitor a ”Honeypot share and > file” for changes. The idea being to lock the user account so the > ransomeware cannot encrypt files on the file server. > > > > Todd Lemmiksoo > > 225-237-1836 > > > > *From:* listsadmin@lists.myitforum.com [ > mailto:listsadmin@lists.myitforum.com <listsadmin@lists.myitforum.com>] *On > Behalf Of *Michael B. Smith > *Sent:* Wednesday, May 4, 2016 10:19 AM > *To:* powersh...@lists.myitforum.com > *Subject:* [powershell] RE: Server 2008 R2 > > > > Down-level operating system environments often don’t have the same WMI/CIM > plumbing as newer operating system environments. > > > > Prior to the SmbShare module, I would use the “net share” command in > PowerShell and wrap it so it looked like native PowerShell. > > > > You can also use the Wscript.Network object – it works just as well in > PowerShell as it does in VBScript. > > > > I don’t know exactly what you are trying to do, so I can only give this > general advice. > > > > *From:* listsadmin@lists.myitforum.com [ > mailto:listsadmin@lists.myitforum.com <listsadmin@lists.myitforum.com>] *On > Behalf Of *Lemmiksoo, Todd > *Sent:* Wednesday, May 4, 2016 10:20 AM > > > *To:* 'powersh...@lists.myitforum.com' > *Subject:* [powershell] RE: Server 2008 R2 > > > > I copied the modules\smbshare folder to the 2008R2 server and now get > “Invalid namespace” error. > > > > Will try the WMI command. > > Still get the invalid namespace error. > > > > Todd Lemmiksoo > > 225-237-1836 > > > > *From:* listsadmin@lists.myitforum.com [ > mailto:listsadmin@lists.myitforum.com <listsadmin@lists.myitforum.com>] *On > Behalf Of *Kelley, Matthew > *Sent:* Wednesday, May 4, 2016 8:53 AM > *To:* powersh...@lists.myitforum.com > *Subject:* [powershell] RE: Server 2008 R2 > > > > I would try to copy the folder over and see if it works, or just read > through the script and see if you can pull out the part you need. > > > > C:\Windows\System32\WindowsPowerShell\v1.0\Modules\SmbShare > > > > I opened up the cmdlet definition. It is querying this WMI namespace/class: > > > > gwmi -Namespace "ROOT/Microsoft/Windows/SMB" -Class msft_smbshare | select > * > > > > Maybe you can just use that somehow to get what you need? > > > > *From:* listsadmin@lists.myitforum.com [ > mailto:listsadmin@lists.myitforum.com <listsadmin@lists.myitforum.com>] *On > Behalf Of *Lemmiksoo, Todd > *Sent:* Wednesday, May 04, 2016 9:38 AM > *To:* powersh...@lists.myitforum.com > *Subject:* [powershell] Server 2008 R2 > > > > I am trying to run a script the has “Get-SmbShare” in it. Is this command > not available on Server 2008 R2. > > I have upgraded the PowerShell version on the server to ver 5. > > > > Todd Lemmiksoo > > System Engineer > > 225-237-1836 > > > > General Health System IS > > 8490 Picardy Ave Suite 500B > > Baton Rouge, LA 70809 > > > > Confidentiality Notice: This email and its attachments may contain > privileged and confidential information and/or protected health information > (PHI) intended solely for the use of the recipient(s) named above. If you > are not the recipient, or the employee or agent responsible for delivering > this message to the intended recipient, you are hereby notified that any > review, dissemination, distribution, printing or copying of this email > message and/or any attachments is strictly prohibited. If you have received > this transmission in error, please notify the sender immediately by phone > or notify the Compliance Hotline at 1-866-737-4448 and permanently delete > this email and any attachments. > > > > ********************************************************** > Electronic Mail is not secure, may not be read every day, and should not > be used for urgent or sensitive issues > > > > Confidentiality Notice: This email and its attachments may contain > privileged and confidential information and/or protected health information > (PHI) intended solely for the use of the recipient(s) named above. If you > are not the recipient, or the employee or agent responsible for delivering > this message to the intended recipient, you are hereby notified that any > review, dissemination, distribution, printing or copying of this email > message and/or any attachments is strictly prohibited. If you have received > this transmission in error, please notify the sender immediately by phone > or notify the Compliance Hotline at 1-866-737-4448 and permanently delete > this email and any attachments. > > > > > > Confidentiality Notice: This email and its attachments may contain > privileged and confidential information and/or protected health information > (PHI) intended solely for the use of the recipient(s) named above. If you > are not the recipient, or the employee or agent responsible for delivering > this message to the intended recipient, you are hereby notified that any > review, dissemination, distribution, printing or copying of this email > message and/or any attachments is strictly prohibited. If you have received > this transmission in error, please notify the sender immediately by phone > or notify the Compliance Hotline at 1-866-737-4448 and permanently delete > this email and any attachments. > > > > > > > > > The information contained in this message is privileged, confidential, and > protected from disclosure. If you are not the intended recipient, you are > hereby notified that any review, printing, dissemination, distribution, > copying or other use of this communication is strictly prohibited. If you > have received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. > > -- The information contained in this message is privileged, confidential, and protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, printing, dissemination, distribution, copying or other use of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.
