Keith Brown wrote:
So, does anyone know how to disable access to Server Manager,
Remove the "FILERDOMAIN\Domain Admins" global group from the filer's "BUILTIN\Administrators" local group using User Manager for Domains. This will prevent your NT adminstrators from messing with filer shares.
That works, after "cifs terminate / cifs restart". One can't even manipulate local groups via "user manager for domains" anymore, which is good. Seth Moskowitz made a good point that there might still be a command-line way around this restriction -- I haven't turned our Windows guys loose on that angle, yet. But see below.
I am almost, but not quite 100% certain that administrative rights to the file system will be unaffected by this (the "Administrators" local group SID is a domain-wide constant if memory serves, so it should still find its way into your NT admin's security tokens via other means), but give it a try.
Darn, now we can't "take ownership" like we used to be able to do, not even from "root" on the Unix side (mixed security-mode). So this approach is not going to work for us, unless there's some modification possible that will give back the filesystem management rights. Good thing I kept a copy of /etc/lclgroups.cfg, eh? Restoring that and restarting cifs gives back the "take ownership" ability.
I don't have enough experience with NTFS permissions to know how/if the following might work, but it I'm wondering if it might be possible to setup some special NT Domain user which has the "override ownership" rights that the normal admin user has, but without being the actual admin user that can manage servers, etc.
Other comments and suggestions are still welcome....
Regards,