Re: Can this be done without affecting current configuration

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Wed, 2 Aug 2006 15:58:08 -0700

---

"OM" <om@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ORx5CBotGHA.1224@xxxxxxxxxxxxxxxxxxxxxxx

Roger Abell [MVP] wrote:

The extra shares, to which there is but should not be access, are set to
allow what groups at the share/NTFS levels ?
There is something to which access is granted, such as the machine
local Users group, or Network, or Authenticate Users, which does
include the NonDomainUser group member(s).

"OM" <om@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OGai5xltGHA.5056@xxxxxxxxxxxxxxxxxxxxxxx

Hi,

I have a AD network with 3 2003 DCs. Most of our workstations are
attached to the domain while only 40 PCs are non-domain machines.

What I would like to do is to allow all non-domain PCs to be able to
access one shared folder in one of the member server within the domain
using one particular user account.

I created a group called nondomainuser and put a newly created user
account into the group. I removed this user from the domain users group
so it only belong to the nondomainuser group. On the shared folder, I
setup the Share/NTFS permission so that only the nondomainuser group
have read access to it. With this setup, the user is able to access the
shared folder without problem. However, this account is also able to
access shared folders that are accessible by the members in the domain
users group which is something I don't want. The thing that I don't
understand is this user account is not a member of the domain users, but
he is still able to access shared folders that are for members of the
domain users.

I know I might be able to achieve this by removing everyone from the
share permission on the share folder. However, this is going to lot of
time and I might miss out something as I many shared folder on the
server

Can someone advice me if there is any simple solution for such problem?

Thanks

OM

All the shares are set with read/change for everyone and I fine tuned the
permission on the NTFS level. Only users are defined in the nondomainuser
group.

Thanks

No problem, I guess . . . I am not sure what you are saying.
Since share level is granting to Everyone it is basically a no-op, meaning
only NTFS is controlling access of Modify or less. But you still have not
said that is granted at NTFS, and whether things like Interactive and/or
Authenticated Users is a member in the sharing machine's Users group.


.

---

• Follow-Ups:
  • Re: Can this be done without affecting current configuration
    • From: OM

• References:
  • Can this be done without affecting current configuration
    • From: OM
  • Re: Can this be done without affecting current configuration
    • From: Roger Abell [MVP]
  • Re: Can this be done without affecting current configuration
    • From: OM

• Prev by Date: Re: Security Configuration Wizard: 2nd try
• Next by Date: Re: server migration/local Groups
• Previous by thread: Re: Can this be done without affecting current configuration
• Next by thread: Re: Can this be done without affecting current configuration
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Can this be done without affecting current configuration ... I removed this user from the domain users ... group so it only belong to the nondomainuser group. ... user is able to access the shared folder without problem. ... user account is not a member of the domain users, ... (microsoft.public.windows.server.security) Re: Can this be done without affecting current configuration ... What I would like to do is to allow all non-domain PCs to be able to access one shared folder in one of the member server within the domain using one particular user account. ... I removed this user from the domain users group so it only belong to the nondomainuser group. ... this account is also able to access shared folders that are accessible by the members in the domain users group which is something I don't want. ... (microsoft.public.windows.server.security) Re: Can this be done without affecting current configuration ... What I would like to do is to allow all non-domain PCs to be able to access one shared folder in one of the member server within the domain using one particular user account. ... I removed this user from the domain users group so it only belong to the nondomainuser group. ... this account is also able to access shared folders that are accessible by the members in the domain users group which is something I don't want. ... (microsoft.public.windows.server.security) Re: Can this be done without affecting current configuration ... What I would like to do is to allow all non-domain PCs to be able to access one shared folder in one of the member server within the domain using one particular user account. ... I removed this user from the domain users group so it only belong to the nondomainuser group. ... this account is also able to access shared folders that are accessible by the members in the domain users group which is something I don't want. ... (microsoft.public.windows.server.security) Re: Can this be done without affecting current configuration ... access one shared folder in one of the member server within the domain ... I removed this user from the domain users group so ... is this user account is not a member of the domain users, ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2006-08