Re: Can this be done without affecting current configuration
- From: OM <om@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 04 Aug 2006 07:41:46 -0700
Roger Abell [MVP] wrote:
"OM" <om@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:O2MLZS0tGHA.4752@xxxxxxxxxxxxxxxxxxxxxxxRoger Abell [MVP] wrote:What is granted on the shares when they do but should not have access?The nondomainuser group would have the same access as the users group.
What is the membership of the sharing server's Users group, not all the
local users but the other members . . . Authenticated Users? Network? etc.
"OM" <om@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:e9s7MkytGHA.1288@xxxxxxxxxxxxxxxxxxxxxxxRoger Abell [MVP] wrote:"OM" <om@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:ORx5CBotGHA.1224@xxxxxxxxxxxxxxxxxxxxxxxSorry, I think I am lost on what you are trying to ask.Roger Abell [MVP] wrote:No problem, I guess . . . I am not sure what you are saying.The extra shares, to which there is but should not be access, are set toAll the shares are set with read/change for everyone and I fine tuned the permission on the NTFS level. Only users are defined in the nondomainuser group.
allow what groups at the share/NTFS levels ?
There is something to which access is granted, such as the machine
local Users group, or Network, or Authenticate Users, which does
include the NonDomainUser group member(s).
"OM" <om@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:OGai5xltGHA.5056@xxxxxxxxxxxxxxxxxxxxxxxHi,
I have a AD network with 3 2003 DCs. Most of our workstations are attached to the domain while only 40 PCs are non-domain machines.
What I would like to do is to allow all non-domain PCs to be able to access one shared folder in one of the member server within the domain using one particular user account.
I created a group called nondomainuser and put a newly created user account into the group. I removed this user from the domain users group so it only belong to the nondomainuser group. On the shared folder, I setup the Share/NTFS permission so that only the nondomainuser group have read access to it. With this setup, the user is able to access the shared folder without problem. However, this account is also able to access shared folders that are accessible by the members in the domain users group which is something I don't want. The thing that I don't understand is this user account is not a member of the domain users, but he is still able to access shared folders that are for members of the domain users.
I know I might be able to achieve this by removing everyone from the share permission on the share folder. However, this is going to lot of time and I might miss out something as I many shared folder on the server
Can someone advice me if there is any simple solution for such problem?
Thanks
OM
Thanks
Since share level is granting to Everyone it is basically a no-op, meaning
only NTFS is controlling access of Modify or less. But you still have not
said that is granted at NTFS, and whether things like Interactive and/or
Authenticated Users is a member in the sharing machine's Users group.
I have different level of accesses for different share folders. My intention is to have this nondomainuser group to be able to only access one single folder in the server. My problem is that this user group is also able to access shares that have permission for domain users.
Thanks
Authenticated users, domain users and interactive are the members of the users group.
Thanks
You still have not stated what the shares, to which the nondomainuser group
can but should not get access, are configured to allow (at both the share and
the NTFS permissions levels).
From what you have now finally stated, you should be able to see that any
account that is in the nondomainusers group will be a member of the sharing
machines local Users group (such an account will qualify as Authenticated Users)
(I assume that accounts in nondomainusers global group have had their Primary
Group changed to nondomainusers from Domain Users, else that would also
make them a member of the machine's local Users group).
Hence, if there are grants to Users on the shares to which they should not
have access, then they will have access.
OK, the shares are configured for everyone with read/change permission. The NTFS permission are different depending which groups and their permission. All these shares have administrators, creator owner, system and individual groups that has permission assigned to in the NTFS ACL.
The account in the nodomainusers global group is configured with nondomainusers global group as the primary group. I have removed the domain user group from their member of property.
Hope this might give you a better idea of what the configuration is.
Thanks
.
- References:
- Can this be done without affecting current configuration
- From: OM
- Re: Can this be done without affecting current configuration
- From: Roger Abell [MVP]
- Re: Can this be done without affecting current configuration
- From: OM
- Re: Can this be done without affecting current configuration
- From: Roger Abell [MVP]
- Re: Can this be done without affecting current configuration
- From: OM
- Re: Can this be done without affecting current configuration
- From: Roger Abell [MVP]
- Re: Can this be done without affecting current configuration
- From: OM
- Re: Can this be done without affecting current configuration
- From: Roger Abell [MVP]
- Can this be done without affecting current configuration
- Prev by Date: User Home Folder
- Next by Date: Re: Grant access to a share via command-line?
- Previous by thread: Re: Can this be done without affecting current configuration
- Next by thread: Re: server migration/local Groups
- Index(es):
Relevant Pages
|
