asked on Security Properties of Desktop shortcuts to network file shares.
We've had the practice of setting up desktop shortcuts to network shares.
Because of some mysterious failed logons to the shares, I got to investigating the shortcuts.
This is in a domain-joined workstation.
I notice that we can examine the Properties of the shortcut and that there is a Security tab.
The security tab gives Full Control to:
SYSTEM
[domain username] for the current logon / matches the Desktop contents of course...
Local Administrators
And the Allow column is grayed out while the Deny column isn't.
Now, the actual network share has Security settings giving Full Control to a domain Group.
So, where do these particular permissions that we see in the shortcut come from?
Because of some mysterious failed logons to the shares, I got to investigating the shortcuts.
This is in a domain-joined workstation.
I notice that we can examine the Properties of the shortcut and that there is a Security tab.
The security tab gives Full Control to:
SYSTEM
[domain username] for the current logon / matches the Desktop contents of course...
Local Administrators
And the Allow column is grayed out while the Deny column isn't.
Now, the actual network share has Security settings giving Full Control to a domain Group.
So, where do these particular permissions that we see in the shortcut come from?
NetworkingDesktopsSecurity
Last Comment
hypercube
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Why don't you just map the shares as drives?
ASKER
serialband: Because the objective was to avoid MAPs (which take up connections) in a connection-limited environment.
So I would rather look at the credential storage and see what (outdated?) credentials are saved for the target server that could be producing bad logon attempts.
ASKER
McKnife: Yes, that would be the thing to do. And, it has been done. All Windows Credentials have been deleted from each User that can log on I do believe. That wouldn't include domain users that have never logged on (but could). That's why I was investigating shortcuts.
ASKER
Thanks!