They aren't creating random shares, we don't use DFS, we had given them the permissions we wanted on the shares but its not being done, and other stuff that needs to stop and quickly, so we are taking back control in the Server Engineering group ( Don't ask long story).
We have a lot of file servers with users shares, because a lack of quotas ( no Policy, no Mgmt support) therefore can't limit the amount of data stored accordingly. So we basically need to clean up house, and limit access and make it right ( Sorry Holmes on Holmes show J) Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Steven Peck [mailto:[email protected]] Sent: Wednesday, September 01, 2010 6:32 PM To: NT System Admin Issues Subject: Re: Trying to limit my helpdesk to Power User rights, Why would they be creating random shares? We have a DFS root and shares we create now, but even before DFS, every share has a <shareName>_r and <shareName>_m (read and modify) group created. Support Center and Security groups here add/remove people to or from those groups to grant / remove access. We do NOT grant shares below shares. The Description field of the share and the groups are populated with an 'owner' and backup name from the business group. When access or audit questions arise, query them. Now, there are 'non-standard' shares/groups out there. We arbitrarily fix them to standard when we find them. No access to the servers needed. Steven On Wed, Sep 1, 2010 at 3:12 PM, Ziots, Edward <[email protected]> wrote: The only folks with full control on the folders, is the local administrators, the local administrators are highly restricted to about four people in this new arrangement, therefore the helpdesk folks wouldn't even have full control on the underlying NTFS structure because even then they could basically delete or destroy the existing file structure accordingly, which is what we don't want. Again when I use the MMC snapin Shared Folders and point it to the Windows 2008 R2 server in question, as a Power user, I can't see the folders on the server ( Because power users don't have access to the root shares C$, D$, etc etc) therefore they can create the directory structure, before they create the share which creates a problem for them. I can grant them RDP access to the server as Power users and they can create the share from there accordingly, with the Shared Folders Snap-in without an issue. If they are administrators, they can do it remotely and on the server, but again, due to all the problems and misconfiguration in the past, and issues we have had to clean up, might as well take the reigns back, limit the access and manage it accordingly, so its done right and audited accordingly. Hopefully that clears stuff up. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] <mailto:email%[email protected]> Cell:401-639-3505 From: Jonathan Link [mailto:[email protected]] Sent: Wednesday, September 01, 2010 5:54 PM To: NT System Admin Issues Subject: Re: Trying to limit my helpdesk to Power User rights, I never used a snapin to apply NTFS permissions, I might be missing something. Does it give you something that the right click security doesn't? I apply ntfs permissions through windows shares. My daily user account has full control over a select group of folders on our file server. I can access a folder through the share and modify permissions. In a previous job I ran as DA as my regular user account, because I was young and dumb, I adjusted permissions regularly through the shares. Yes, it might not be what they are used to, and they can't create shares this way, but there's no reason that they can't change NTFS permissions. I may not understand your needs, either. On Wed, Sep 1, 2010 at 4:57 PM, Ziots, Edward <[email protected]> wrote: I am not sure, I can tell you if I login to the server as a Power user, I can create the share, and permissions accordingly as needed. If I try this via shared folders snapin remotely, I can't see the drives accordingly, nor create a folder, etc etc, as a power user of the system. Compmgmt.as msc snapin same deal. Actually Creator Owner has, Full Control on the directory that is created, but I will see if that translates to having access at the share/NTFS when I create it and grant them the appropriate rights as compared to them creating it, via power user rights. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] <mailto:email%[email protected]> Cell:401-639-3505 From: Jonathan Link [mailto:[email protected]] Sent: Wednesday, September 01, 2010 To: NT System Admin Issues Subject: Re: Trying to limit my helpdesk to Power User rights, Reread the initial email. If someone from the server group creates the share, and the helpdesk group has full control on the NTFS permissions they can change permissions from the share, no? On Wed, Sep 1, 2010 at 4:45 PM, Jonathan Link <[email protected]> wrote: As in file permissions? On Wed, Sep 1, 2010 at 4:42 PM, Ziots, Edward <[email protected]> wrote: Yep, Looks like we are going to have to go that way, problem is they field a lot of calls about permissions and directories and not gaining access, etc etc, which is just going to now fall on the Server Engineering group, more pain... more pain, because things aren't done right in the first place. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] <mailto:email%[email protected]> Cell:401-639-3505 From: Crawford, Scott [mailto:[email protected]] Sent: Wednesday, September 01, 2010 4:38 PM To: NT System Admin Issues Subject: RE: Trying to limit my helpdesk to Power User rights, I would manage the permissions myself. If you don't want them to be admins, you shouldn't be making them power users either. Power Users are Admins who have not made themselves admins yet http://blogs.technet.com/b/jesper_johansson/archive/2006/03/12/421870.as px From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, September 01, 2010 2:02 PM To: NT System Admin Issues Subject: Trying to limit my helpdesk to Power User rights, I am trying as a method of locking down my Win2k8 and below servers is removing administrative rights wherever I can to the minimal level, I have setup my helpdesk folks to be Power users on one of my Windows 2008 R2 boxes, and if they login local to the box, they can create a directory and share local on the server, using MMC etc etc, ( I tested as a domain user as a power user) but if I run the MMC Shared folders snapin as the Power User from my XP System ( I made the account full admin on the workstation) when I try and take a look at the drives, via the snapin it doesn't allow it when it's a Power user on the server, I know if I was to make the group or the test user a local administrator ( which I don't want to do, because the keep screwing up permissions right and left) then they will see the drives and create folder etc etc accordingly. Any ideas, How I can get this working with Power User only rights accordingly? Maybe using additional share on the root of the drives to get them access accordingly? Either that or take care of all the permissions myself. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] <mailto:email%[email protected]> Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
