Group with read-only access to administrative shares?

Hi Folks,

Apologies for what may be a dumb question: Can I give a group read-only permission to adminstrative
shares, e.g., \\wrkstn10\c$?

Thanks!

Frank
Frank Denman
Denman Systems

[Please delete the "x" from my email address]

I don't think so. You would have to create a new share.

Do you really want to give a group who are not administrators permission to
read an entire drive? If you do, make sure it is hidden with the $ sign.

Paul

"Frank B Denman" <> wrote in message
news:...
> Hi Folks,
>
> Apologies for what may be a dumb question: Can I give a group read-only
> permission to adminstrative
> shares, e.g., \\wrkstn10\c$?
>
> Thanks!
>
> Frank
> Frank Denman
> Denman Systems
>
> [Please delete the "x" from my email address]

"Paul Baker [MVP, Windows Desktop Experience]"
<> wrote in message
news:%...
>I don't think so. You would have to create a new share.

That would appear to be microsoft-speak for: this isn't a good idea.

> Do you really want to give a group who are not administrators permission
> to read an entire drive?

Must be a data drive to which some group needs read access for the purpose
of, for example, auditing work done.

> If you do, make sure it is hidden with the $ sign.

But also realize that, since some individuals will be accessing that share,
they will need to know its name. And any secret shared by more than one
person is no longer a secret.

/Al

> Paul
>
> "Frank B Denman" <> wrote in message
> news:...
>> Hi Folks,
>>
>> Apologies for what may be a dumb question: Can I give a group read-only
>> permission to adminstrative
>> shares, e.g., \\wrkstn10\c$?
>>
>> Thanks!
>>
>> Frank
>> Frank Denman
>> Denman Systems
>>
>> [Please delete the "x" from my email address]
>
>

Here's a high level view of the problem I need to solve. Customer had a totally disorganized 15
computer workgroup network with files scattered hither and yon across the workstation drives. I've
now got them in an SBS2k3 domain and need to have management identify files to move to the server.

I've run NetworkSearcher to build a 29,000 row spreadsheet with hyperlinks to all *.doc files on the
network. The hyperlinks are mostly in the form "\\wrkstn10\c$\dir1\dir2\something.doc". Managers
need to sit at a workstation marking up the spreadsheet and confirming identity of likely files by
clicking the hyperlinks in the spreadsheet.

I don't want non-IT folks browsing the network with domain admin privileges, and I don't want
anybody at all opening those mystery *.doc files with domain admin privileges because who knows what
macro evil lurks therein.

These network drives do not have inheritance running smoothly from top to bottom, so I need a way to
give my "Network Auditors" group read-only permissions all the way down the tree without changing
any other existing permissions.

I suspect all this is pointing me to subinacl, which I've never used.

Additional thoughts, advice, or even a sample subinacl command line would be most welcome.

Frank

On Tue, 24 Mar 2009 17:26:21 -0600, "Al Dunbar" <> wrote:

>
>"Paul Baker [MVP, Windows Desktop Experience]"
><> wrote in message
>news:%...
>>I don't think so. You would have to create a new share.
>
>That would appear to be microsoft-speak for: this isn't a good idea.
>
>> Do you really want to give a group who are not administrators permission
>> to read an entire drive?
>
>Must be a data drive to which some group needs read access for the purpose
>of, for example, auditing work done.
>
>> If you do, make sure it is hidden with the $ sign.
>
>But also realize that, since some individuals will be accessing that share,
>they will need to know its name. And any secret shared by more than one
>person is no longer a secret.
>
>/Al
>
>> Paul
>>
>> "Frank B Denman" <> wrote in message
>> news:...
>>> Hi Folks,
>>>
>>> Apologies for what may be a dumb question: Can I give a group read-only
>>> permission to adminstrative
>>> shares, e.g., \\wrkstn10\c$?
>>>
>>> Thanks!
>>>
>>> Frank
>>> Frank Denman
>>> Denman Systems
>>>
>>> [Please delete the "x" from my email address]
>>
>>
>
Frank Denman
Denman Systems

[Please delete the "x" from my email address]

"Al Dunbar" <> wrote in message
news:%...
>
> "Paul Baker [MVP, Windows Desktop Experience]"
> <> wrote in message
> news:%...
>>I don't think so. You would have to create a new share.
>
> That would appear to be microsoft-speak for: this isn't a good idea.

Yes, that's exactly what I meant to imply, though it's Paul-speak not
Microsoft-speak

>> Do you really want to give a group who are not administrators permission
>> to read an entire drive?
>
> Must be a data drive to which some group needs read access for the purpose
> of, for example, auditing work done.

If there is a legitimate business reason for it, then okay. I would just be
uncomfortable with it.

>> If you do, make sure it is hidden with the $ sign.
>
> But also realize that, since some individuals will be accessing that
> share, they will need to know its name. And any secret shared by more than
> one person is no longer a secret.

Agreed. But the reason for hiding the share in this manner is not to keep a
secret. It is is to prevent naive malware that is trying to spread itself
from being able to find it. Some methods for enumerating shares will find
the hidden ones, whereas some will not.

Paul

>
> /Al
>
>> Paul
>>
>> "Frank B Denman" <> wrote in message
>> news:...
>>> Hi Folks,
>>>
>>> Apologies for what may be a dumb question: Can I give a group read-only
>>> permission to adminstrative
>>> shares, e.g., \\wrkstn10\c$?
>>>
>>> Thanks!
>>>
>>> Frank
>>> Frank Denman
>>> Denman Systems
>>>
>>> [Please delete the "x" from my email address]
>>
>>
>
>

The permissions of an administrative share cannot be changed, unless there
is a policy or registry hack to work around it that I don't know about (and
that will likely be removed in a future version of Windows!).

If you added your own share, you could set the permissions to whatever you
want, but your hyperlinks would have to be adjusted.

Paul

"Frank B Denman" <> wrote in message
news:...
> Here's a high level view of the problem I need to solve. Customer had a
> totally disorganized 15
> computer workgroup network with files scattered hither and yon across the
> workstation drives. I've
> now got them in an SBS2k3 domain and need to have management identify
> files to move to the server.
>
> I've run NetworkSearcher to build a 29,000 row spreadsheet with hyperlinks
> to all *.doc files on the
> network. The hyperlinks are mostly in the form
> "\\wrkstn10\c$\dir1\dir2\something.doc". Managers
> need to sit at a workstation marking up the spreadsheet and confirming
> identity of likely files by
> clicking the hyperlinks in the spreadsheet.
>
> I don't want non-IT folks browsing the network with domain admin
> privileges, and I don't want
> anybody at all opening those mystery *.doc files with domain admin
> privileges because who knows what
> macro evil lurks therein.
>
> These network drives do not have inheritance running smoothly from top to
> bottom, so I need a way to
> give my "Network Auditors" group read-only permissions all the way down
> the tree without changing
> any other existing permissions.
>
> I suspect all this is pointing me to subinacl, which I've never used.
>
> Additional thoughts, advice, or even a sample subinacl command line would
> be most welcome.
>
> Frank
>
> On Tue, 24 Mar 2009 17:26:21 -0600, "Al Dunbar" <>
> wrote:
>
>>
>>"Paul Baker [MVP, Windows Desktop Experience]"
>><> wrote in message
>>news:%.. .
>>>I don't think so. You would have to create a new share.
>>
>>That would appear to be microsoft-speak for: this isn't a good idea.
>>
>>> Do you really want to give a group who are not administrators permission
>>> to read an entire drive?
>>
>>Must be a data drive to which some group needs read access for the purpose
>>of, for example, auditing work done.
>>
>>> If you do, make sure it is hidden with the $ sign.
>>
>>But also realize that, since some individuals will be accessing that
>>share,
>>they will need to know its name. And any secret shared by more than one
>>person is no longer a secret.
>>
>>/Al
>>
>>> Paul
>>>
>>> "Frank B Denman" <> wrote in message
>>> news:...
>>>> Hi Folks,
>>>>
>>>> Apologies for what may be a dumb question: Can I give a group
>>>> read-only
>>>> permission to adminstrative
>>>> shares, e.g., \\wrkstn10\c$?
>>>>
>>>> Thanks!
>>>>
>>>> Frank
>>>> Frank Denman
>>>> Denman Systems
>>>>
>>>> [Please delete the "x" from my email address]
>>>
>>>
>>
> Frank Denman
> Denman Systems
>
> [Please delete the "x" from my email address]

"Frank B Denman" <> wrote in message
news:...
> Here's a high level view of the problem I need to solve. Customer had a
> totally disorganized 15
> computer workgroup network with files scattered hither and yon across the
> workstation drives. I've
> now got them in an SBS2k3 domain and need to have management identify
> files to move to the server.
>
> I've run NetworkSearcher to build a 29,000 row spreadsheet with hyperlinks
> to all *.doc files on the
> network. The hyperlinks are mostly in the form
> "\\wrkstn10\c$\dir1\dir2\something.doc". Managers
> need to sit at a workstation marking up the spreadsheet and confirming
> identity of likely files by
> clicking the hyperlinks in the spreadsheet.

Has there been an actual agreement that the managers will do this? In a
similar scenario in my organization, I expect the managers would agree to
browse through a folder structure for a while to determine from the file and
folder names what might be important and how it should be classified or
handled. Once they had done a few spot checks they would quickly decide they
had better things to do and would either make educated guesses, ask me to
make their decisions, or just ask to have it all burned to DVD for review
later in case they feel it might contain info they are looking for. That DVD
would then likely stay where it was stored forever.

> I don't want non-IT folks browsing the network with domain admin
> privileges, and I don't want
> anybody at all opening those mystery *.doc files with domain admin
> privileges because who knows what
> macro evil lurks therein.

Makes sense.

> These network drives do not have inheritance running smoothly from top to
> bottom, so I need a way to
> give my "Network Auditors" group read-only permissions all the way down
> the tree without changing
> any other existing permissions.

cacls should be able to handle the job - assuming that you, as admin, do not
have your permission blocked anywhere in the folder structure. But why do
you need to preserve any existing permissions - is it that these files are
still in operational use? If so, by the time they make their decisions, the
users might have created, modified, and/or deleted them.

/Al


> I suspect all this is pointing me to subinacl, which I've never used.
>
> Additional thoughts, advice, or even a sample subinacl command line would
> be most welcome.
>
> Frank
>
> On Tue, 24 Mar 2009 17:26:21 -0600, "Al Dunbar" <>
> wrote:
>
>>
>>"Paul Baker [MVP, Windows Desktop Experience]"
>><> wrote in message
>>news:%.. .
>>>I don't think so. You would have to create a new share.
>>
>>That would appear to be microsoft-speak for: this isn't a good idea.
>>
>>> Do you really want to give a group who are not administrators permission
>>> to read an entire drive?
>>
>>Must be a data drive to which some group needs read access for the purpose
>>of, for example, auditing work done.
>>
>>> If you do, make sure it is hidden with the $ sign.
>>
>>But also realize that, since some individuals will be accessing that
>>share,
>>they will need to know its name. And any secret shared by more than one
>>person is no longer a secret.
>>
>>/Al
>>
>>> Paul
>>>
>>> "Frank B Denman" <> wrote in message
>>> news:...
>>>> Hi Folks,
>>>>
>>>> Apologies for what may be a dumb question: Can I give a group
>>>> read-only
>>>> permission to adminstrative
>>>> shares, e.g., \\wrkstn10\c$?
>>>>
>>>> Thanks!
>>>>
>>>> Frank
>>>> Frank Denman
>>>> Denman Systems
>>>>
>>>> [Please delete the "x" from my email address]
>>>
>>>
>>
> Frank Denman
> Denman Systems
>
> [Please delete the "x" from my email address]

I expect that you are correct regarding how managers will basically spot-check files and ultimately
hand implementation back to me.

Nonetheless, I need to make the spot-checking as painless for them as I possibly can.

I want to preserve existing permissions because I don't want to muck up OS security when I add
Read-Only for Network Auditors thru the entire directory tree of each drive.

Not sure which is the most likely tool: subinacl or cacl.

Frank


On Wed, 25 Mar 2009 17:50:33 -0600, "Al Dunbar" <> wrote:

>
>"Frank B Denman" <> wrote in message
>news:.. .
>> Here's a high level view of the problem I need to solve. Customer had a
>> totally disorganized 15
>> computer workgroup network with files scattered hither and yon across the
>> workstation drives. I've
>> now got them in an SBS2k3 domain and need to have management identify
>> files to move to the server.
>>
>> I've run NetworkSearcher to build a 29,000 row spreadsheet with hyperlinks
>> to all *.doc files on the
>> network. The hyperlinks are mostly in the form
>> "\\wrkstn10\c$\dir1\dir2\something.doc". Managers
>> need to sit at a workstation marking up the spreadsheet and confirming
>> identity of likely files by
>> clicking the hyperlinks in the spreadsheet.
>
>Has there been an actual agreement that the managers will do this? In a
>similar scenario in my organization, I expect the managers would agree to
>browse through a folder structure for a while to determine from the file and
>folder names what might be important and how it should be classified or
>handled. Once they had done a few spot checks they would quickly decide they
>had better things to do and would either make educated guesses, ask me to
>make their decisions, or just ask to have it all burned to DVD for review
>later in case they feel it might contain info they are looking for. That DVD
>would then likely stay where it was stored forever.
>
>> I don't want non-IT folks browsing the network with domain admin
>> privileges, and I don't want
>> anybody at all opening those mystery *.doc files with domain admin
>> privileges because who knows what
>> macro evil lurks therein.
>
>Makes sense.
>
>> These network drives do not have inheritance running smoothly from top to
>> bottom, so I need a way to
>> give my "Network Auditors" group read-only permissions all the way down
>> the tree without changing
>> any other existing permissions.
>
>cacls should be able to handle the job - assuming that you, as admin, do not
>have your permission blocked anywhere in the folder structure. But why do
>you need to preserve any existing permissions - is it that these files are
>still in operational use? If so, by the time they make their decisions, the
>users might have created, modified, and/or deleted them.
>
>/Al
>
>
>> I suspect all this is pointing me to subinacl, which I've never used.
>>
>> Additional thoughts, advice, or even a sample subinacl command line would
>> be most welcome.
>>
>> Frank
>>
>> On Tue, 24 Mar 2009 17:26:21 -0600, "Al Dunbar" <>
>> wrote:
>>
>>>
>>>"Paul Baker [MVP, Windows Desktop Experience]"
>>><> wrote in message
>>>news:%. ..
>>>>I don't think so. You would have to create a new share.
>>>
>>>That would appear to be microsoft-speak for: this isn't a good idea.
>>>
>>>> Do you really want to give a group who are not administrators permission
>>>> to read an entire drive?
>>>
>>>Must be a data drive to which some group needs read access for the purpose
>>>of, for example, auditing work done.
>>>
>>>> If you do, make sure it is hidden with the $ sign.
>>>
>>>But also realize that, since some individuals will be accessing that
>>>share,
>>>they will need to know its name. And any secret shared by more than one
>>>person is no longer a secret.
>>>
>>>/Al
>>>
>>>> Paul
>>>>
>>>> "Frank B Denman" <> wrote in message
>>>> news:...
>>>>> Hi Folks,
>>>>>
>>>>> Apologies for what may be a dumb question: Can I give a group
>>>>> read-only
>>>>> permission to adminstrative
>>>>> shares, e.g., \\wrkstn10\c$?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> Frank
>>>>> Frank Denman
>>>>> Denman Systems
>>>>>
>>>>> [Please delete the "x" from my email address]
>>>>
>>>>
>>>
>> Frank Denman
>> Denman Systems
>>
>> [Please delete the "x" from my email address]
>
Frank Denman
Denman Systems

[Please delete the "x" from my email address]