NETLOGON Share/file Permissions ?

I have a NT4.0 PDC and XP Pro Clients

How should I set up the Netlogon Share so Domain user only execute the logon.bat

I have tried a few things but it doesnt work, I have other *.bat files which are in the netlogon dir
that execute inside ( or out off ) the logon.bat, that puts info on another share on my D drive
that is hidden

Here is how it is set up, and I know it works this way.

I need to set it up so the users cant read the files but execute all the files

( scripts dir )
Netlogon-share permissions
-local admin - FC
-global admin - FC
-domain admin - FC
-domain users - R
-everyone - no access

File Permissions - security permissions
-local admin - FC
-creator owner - FC
-dir repl - RWXD
-domain users - RWXD
-everyone - FC
-replicator - RWXD
-server operators - RWXD
-system - FC

If I cant change it, and the users have to be able read all the files.

What the best way to set up security, as far as acounts and permissions.
CMILLERAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikhoCommented:
a deny always has more power then a allow so if you set Everyone to have no access then it wont allow anyone either.

i would probably set the filepermissions something like this:
-domain admin - FC
-creator owner - FC
-dir repl - RWXD
-domain users - RWX
-replicator - RWXD
-server operators - RWXD
-system - FC

and share permissions to something like this :
-local admin - FC
-domain users - RX

these two re overkill ?? not sure, depends of your group membership
-global admin - FC
-domain admin - FC


hope it gets you in the right direction :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
msiceCommented:
If you can exe you have read access. Basicly the best wat to setup access is to use groups for read and write. Then assign users to the groups and set group permissions for both on the folder and share levels.
0
CMILLERAuthor Commented:
My goal was to have the logon.bat in the NETLOGON share setup so that users would
not be able to see the contents inside of the logon.bat. I want them to be able
to exe the file when they logon.

Is there another way of accomplishing this goal, Or is this something that I just have to live with.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

msiceCommented:
it is something you have to live with. Even if you were to put the login.bat somewhere else you will still need to give the users read exe. You could use a hidden share and point their profile at that so at least it would be harder for them to find.
0
msiceCommented:
One last thing if you dont want them to be able to see the contents of the .bat file you might want to look into compiling a vbs file and using a login.exe file as the login file.
0
CMILLERAuthor Commented:
I thought about that( hidden share ), just have not tested it.

Whats your take on the NETLOGON share/file permissions.

0
CMILLERAuthor Commented:
thats an idea
0
msiceCommented:
indeed - I hope that will solve your issue.
0
MikhoCommented:
like msice said .. the only way for not letting your users see whats inside the bat file is to compile the instructions in some way into an exe file.

but on the other hand .. if you only give execute access to authenticated users those that havent supplied a valid user/pass wont be able to read either.

if im not mistaken, what you want to hide is that your saving some information on your hidden share on your d drive.
the other stuff is not so important to hide?

0
MikhoCommented:
thanks for the points :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.