[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

NETLOGON Share/file Permissions ?

Posted on 2004-11-10
10
Medium Priority
?
783 Views
Last Modified: 2013-12-04
I have a NT4.0 PDC and XP Pro Clients

How should I set up the Netlogon Share so Domain user only execute the logon.bat

I have tried a few things but it doesnt work, I have other *.bat files which are in the netlogon dir
that execute inside ( or out off ) the logon.bat, that puts info on another share on my D drive
that is hidden

Here is how it is set up, and I know it works this way.

I need to set it up so the users cant read the files but execute all the files

( scripts dir )
Netlogon-share permissions
-local admin - FC
-global admin - FC
-domain admin - FC
-domain users - R
-everyone - no access

File Permissions - security permissions
-local admin - FC
-creator owner - FC
-dir repl - RWXD
-domain users - RWXD
-everyone - FC
-replicator - RWXD
-server operators - RWXD
-system - FC

If I cant change it, and the users have to be able read all the files.

What the best way to set up security, as far as acounts and permissions.
0
Comment
Question by:CMILLER
  • 4
  • 3
  • 3
10 Comments
 
LVL 4

Accepted Solution

by:
Mikho earned 1440 total points
ID: 12555495
a deny always has more power then a allow so if you set Everyone to have no access then it wont allow anyone either.

i would probably set the filepermissions something like this:
-domain admin - FC
-creator owner - FC
-dir repl - RWXD
-domain users - RWX
-replicator - RWXD
-server operators - RWXD
-system - FC

and share permissions to something like this :
-local admin - FC
-domain users - RX

these two re overkill ?? not sure, depends of your group membership
-global admin - FC
-domain admin - FC


hope it gets you in the right direction :)
0
 
LVL 7

Expert Comment

by:msice
ID: 12558337
If you can exe you have read access. Basicly the best wat to setup access is to use groups for read and write. Then assign users to the groups and set group permissions for both on the folder and share levels.
0
 

Author Comment

by:CMILLER
ID: 12559407
My goal was to have the logon.bat in the NETLOGON share setup so that users would
not be able to see the contents inside of the logon.bat. I want them to be able
to exe the file when they logon.

Is there another way of accomplishing this goal, Or is this something that I just have to live with.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 7

Expert Comment

by:msice
ID: 12559468
it is something you have to live with. Even if you were to put the login.bat somewhere else you will still need to give the users read exe. You could use a hidden share and point their profile at that so at least it would be harder for them to find.
0
 
LVL 7

Assisted Solution

by:msice
msice earned 560 total points
ID: 12559566
One last thing if you dont want them to be able to see the contents of the .bat file you might want to look into compiling a vbs file and using a login.exe file as the login file.
0
 

Author Comment

by:CMILLER
ID: 12559582
I thought about that( hidden share ), just have not tested it.

Whats your take on the NETLOGON share/file permissions.

0
 

Author Comment

by:CMILLER
ID: 12559596
thats an idea
0
 
LVL 7

Expert Comment

by:msice
ID: 12559740
indeed - I hope that will solve your issue.
0
 
LVL 4

Expert Comment

by:Mikho
ID: 12563251
like msice said .. the only way for not letting your users see whats inside the bat file is to compile the instructions in some way into an exe file.

but on the other hand .. if you only give execute access to authenticated users those that havent supplied a valid user/pass wont be able to read either.

if im not mistaken, what you want to hide is that your saving some information on your hidden share on your d drive.
the other stuff is not so important to hide?

0
 
LVL 4

Expert Comment

by:Mikho
ID: 12578010
thanks for the points :)
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Loops Section Overview
Screencast - Getting to Know the Pipeline
Suggested Courses
Course of the Month17 days, 22 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question