Windows Server TechCenter >
Windows Server Forums
>
Management
>
Shared Folders access under computer managment: set permissions to read shared folders, sessions, and open files
Shared Folders access under computer managment: set permissions to read shared folders, sessions, and open files
- Good afternoon. I am trying to add a security group in AD with permissions to view Shared folders, sessions, and open files under the computer managment tool for a particular server that is a domain controller. I would like to do this without adding unneccesary permissions in computer managment and the shared folders snap in itself. I want to avoid adding the AD group in the domain admins group. Any suggestions where these permissions are located, I looked in the ADUC security permissions on the DC but did not see any object or property that stood out as permission to this snap in or resource. Any help would be apperciated.
Answers
Hi Nathan,
To view Shared folders, session, and open files on the DC, these actions need to access the NTFS file system, which need high level privilege on the DC.
The privileges to access the NTFS file system requires either domain admins group or built-in administrators group.
There is no other security descriptor can access the file system on the DC. Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- Proposed As Answer byDavid Shen - MSFTMSFT, ModeratorSaturday, September 05, 2009 9:35 AM
- Marked As Answer byDavid Shen - MSFTMSFT, ModeratorSaturday, September 05, 2009 9:44 AM
All Replies
Hi Nathan,
To view Shared folders, session, and open files on the DC, these actions need to access the NTFS file system, which need high level privilege on the DC.
The privileges to access the NTFS file system requires either domain admins group or built-in administrators group.
There is no other security descriptor can access the file system on the DC. Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights.- Proposed As Answer byDavid Shen - MSFTMSFT, ModeratorSaturday, September 05, 2009 9:35 AM
- Marked As Answer byDavid Shen - MSFTMSFT, ModeratorSaturday, September 05, 2009 9:44 AM
- Hi Nathan,
I was in the same predicament as you and I didn't want to give admin rights but here's what I did so maybe this will help you:
1. I created a group call SERVERnoLogon in AD and added user accounts to this group
2. On SERVER I added SERVERnoLogon to the local administrator group
3. On SERVER I added SERVERnoLogon to the Local Security Policy which you cannot do since it's a DC but you can probably do through Group Policy. The two places I added this group to is Deny log on locally and Deny log on through Terminal Services.
3. On SERVER we already had a DENY in place to prevent unauthorized access to confidential folders so there wasn't too much that we needed to do on that.
We are still testing but I am hopeful that this workaround will be sufficient. So far we can see the open files and we cannot see what we are denied and we cannot log on so off to do more testing since it is an admin account.
Good Luck!
Carla
