Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Shares and privileges 3

Status
Not open for further replies.
lhatwwp

lhatwwp

Technical User
Oct 23, 2007
79
0
0
US
Hello,

I will repeat this a few times for people who haven't seen my previous posts... I'm new to Windows; I've worked exclusively with Netware for the past fifteen years. So I have a number of questions.

Here I go... In Netware I created a folder, assigned privileges to a group, assigned users to the group and all the users in that group had access to the folder. At the domain level I assigned a logon script that applied to everyone in the OU. After creating the folder, group, and user(s), etc. I could check to see what effective rights a user had.

So my questions is... is the process similar in Windows? I have a test server running and so far it's been a struggle for me. I have created folders, groups, users, assigned privileges to the group, I created a vbs logon script (tested it, yep it maps drives), assigned the vbs script in the Group Policy. Went to the workstation, logged in and no mapped drives appeared. I can enter the path, so privileges seem ok.

BTW, do all Windows users have read access? I read that in a Windows environment all users have access to all files and the administrator has to remove privileges, kinda backward to what I'm used to with Netware.

I can't find anything in Windows that let's me check a users effective rights to a folder. Is there such a feature?

Anyway... if someone could give me a quick walk down on Windows file sharing, privileges, and logon scripting… that would be very helpful.

Thanks,
Lou
 
Sort by date Sort by votes
The process is pretty much the same in Windows.

Here's the process from the top.

Create a folder.
Create a group (or groups).
Add users to the group.
Setup NTFS permissions on the folder.
Setup the network share (it's recommended to setup the rights on the share to all users with full control and let the NTFS permissions handle the rights as NTFS is more granular).
Setup the login script and assign it to the users.
Wait until the login script replicates to all domain controllers (or be like me and force replication).
Login to the test machine and make sure that the logon script executes.

If the drive isn't mapped than the logon script didn't run for some reason. If it's getting the logon script from a GPO then try doing a gpupdate on the workstation to force it to redownload all domain policies, then log out and log back in. As logon scripts should be running interactivally try putting a message box or something that pops up on the screen so that you can be sure that the script is running correctly.

Windows folders by default inheart the rights of the parent folder. So if the root of the drive has all users having read rights to the drive then the folder will default to that. And Windows defaults to all users having read rights to the drive. If you remove this right from the begining your folders will not have this right either.

I hope that this helps.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog
 
Upvote 0 Downvote
BTW: Welcome to the Windows Server world.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

My Blog
 
Upvote 0 Downvote
Just one addition there, if you don't want your users to be able to alter NTFS permissions on their work folders you can give them the change 'share' permission this stops them from being able to alter NTFS permissions.
Some users have a habit of taking ownership and then removing inportant users like the backup agent or administrator group which can cause problems.
 
Upvote 0 Downvote
Ok, I think this might be might be my last two questions about file sharing...

Question 1

Why does my logon script fail to map a subfolder of a shared folder unless I share the subfolder?

I created a folder <SHARED> and turned on sharing. Assigned read rights to the common group <ALLSTAFF>. Then I created a couple subfolders <MANUALS> and <SHARED>. I adjusted NTFS permissions on <MANUALS> and <SHARED> to allow everything except Full Control for <ALLSTAFF>.

The permissions work great, but the logon.vbs script won't map the drives unless I turn sharing on both <MANUALS> and <SHARED>

Here's my script...
Code: 
wshNetwork.MapNetworkDrive "p:", "\\test_server\manuals"

Question 2

What is the proper method of assigning shares and rights for individual home folders given the following tree structure?

C:\Mapped Drives\Users\JDOE
C:\Mapped Drives\Users\BSMITH

No matter what I do it seems anyone can see the other "home" folders if they browse the network.

TIA,
Lou
 
Upvote 0 Downvote
if you are a netware guy you may want to install abe on the box as well

access based enumeration

say previously you mapped to data:lotsofcrap

and you had sub dirs under this - if the users didnt have rights - then they didnt see it - ms aint like this - they will see it but get a sod off message when they open it

but that sucks - if you dont have rights then you should see it - so abe more or less gives some of the netware filed back

make the above scenario easier as well as you can map higher up and still secure it and not see it
 
Upvote 0 Downvote
Should that share path you mentioned be
Code: 
wshNetwork.MapNetworkDrive "p:", "\\test_server\sharename\manuals"

As terry712 says access based enumeration is the feature that you need to install to hide folders that users have no access too.
 
Upvote 0 Downvote
For question 2 take a look at the Traverse Folder permission "Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.)"


So in the situation below you could remove read access to the users folder but the OS would allow the user to hop to their own folder as they have permission to access that this way they can't view all the other folders in the users folder.

C:\Mapped Drives\Users\JDOE
C:\Mapped Drives\Users\BSMITH
 
Upvote 0 Downvote
Thanks to everyone for this fantastic support!!!

ABE looks awesome, I'll install that as soon as I'm finished here.

I never thought of providing the full path to the user folder... but that makes a lot of sense. It's funny I didn't provide the full path because in the beginning I found that providing the full path i.e. D:\Mapped Drives\lots of crap didn't work. What I have gleened from this is that any mapping has to start at a share. Funny little things I didn't pick up reading the SAMS Teach yourself Win2003 in 24Hrs.

Cheers guys!

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
62
DrB0b
DrB0b
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
39
geneg28
geneg28
DrB0b
  • Locked
  • Question
HyperV Virtual Switch and Physical NIC question
Replies
3
Views
49
DrB0b
DrB0b
kbryii
  • Locked
  • Question
AD and DHCP issue
Replies
1
Views
59
gbaughma
gbaughma
lecombs1950
  • Locked
  • Question
PKI and Client server application
Replies
0
Views
31
lecombs1950
lecombs1950

Part and Inventory Search

Sponsor

Back
Top