Computer Manger Security

Discussion in 'Server Security' started by Gustavo Montanha, Aug 31, 2004.

  1. Hi, I'm implementing a secure W2K AD domain (Single Forest, and single
    domain) , and I create a global group named "Storage_admins" to manage
    permissions on file servers, this group has Full Control in NTFS permissions
    and Full control in all Shared Permissions. But I'm having a big problem.
    When the user that as a member of "storage_admins" group connect the server
    in computer manager Snap In, they receive access denied error. This users
    are "Account Operators" too. I tried to change some configuration in
    ADSIedit, Local security policy, but was not success. But when I put the
    "Storage_Admins" group to the Local Administrators in this File Server. They
    manage all the shared folders.

    Anyone knows my problem??

    Thaks a lot!
     
    Gustavo Montanha, Aug 31, 2004
    #1
    1. Advertisements

  2. You must be a local administrator to do many things in Computer Management on a
    remote computer and Shared Folders would be no exception as it allows a user to view
    sessions, open files, etc. I don't know offhand if this would work but you could try
    to use the mmc snapin for Shared Folders to manage a remote computer and select
    "shares only" as view to see if that helps. Something that would work is to allow
    that group to use Terminal Services in Remote Administration Mode on those computers
    if they are not already running TS. Normally non administrators can not use it but
    you can add your global group to permissions for RDP on those servers. Of course that
    opens a potential backdoor for those servers so if you use it be sure to require
    users to use complex passwords, audit logon events on those servers, and consider
    using an ipsec filtering policy [if not already using ipsec] to restrict the IP
    addresses of computers that can access those servers on port 3389 TCP keeping in mind
    the remote management computers should be using static IP addresses so they do not
    lose access if their IP address changes from being a DCHP client. --- Steve
     
    Steven L Umbach, Sep 1, 2004
    #2
    1. Advertisements

  3. Putting the group or the user in the administrator local, is not secure,
    because they can do some things that I don't want in this machine. I test to
    use the TS full control permission, but as well, the user cannot access the
    shared folders (In terminal session, and connecting remotly with computer
    manager). I tried to set full control in the OU that the file server owns,
    and set the same local security permissions as the Administrator Local
    group. But nothing.... working arround... I will put this group in the
    administrators group.

    If anyone knows, any way to set this type of permission, tell me.

    tkanks


     
    Gustavo Montanha, Sep 1, 2004
    #3
  4. If they can use TS to access the server they don't have to use Computer Management to
    manage shares. The user can simply go to the shared folder in Windows Explorer that
    they have full control permissions on and change permissions as needed that way. ---
    Steve


     
    Steven L Umbach, Sep 1, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.