Hi Scott,
Very difficult question. The only thing what I can see is that you create 2 'root' shares on the 2 volumes.
Than you create 2 DFS (distribute filesystem service from microsoft) trees (it's possible that you need two different windowsservers to separate the access control). Each department has full control on their dfs tree. They can create new shares in dfs, and use always the one root share on the filer as mount-path combined with the correct directories.
It's a 'crazy' idea, but I think this must work.
Good luck,
Reinoud Reynders IT-manager Infrastructure & Operations UZ Leuven Belgium
----- Original Message ----- From: owner-toasters@mathworks.com owner-toasters@mathworks.com To: owner-toasters@mathworks.com owner-toasters@mathworks.com; toasters@mathworks.com toasters@mathworks.com Sent: Wed Oct 10 22:51:31 2007 Subject: CIFS share creation security question
Quick question, is there anyway to allow AD users/groups the ability to create or delete cifs shares on specific volumes, but not others? Say we have an HR and Sales volume on the same filer. Each has their own IT personnel that create shares on each specific volume, but not each other's. Right now they are in the local admin group so they can theoretically do whatever they please, but we are looking for a more granular way to lock this down. Any suggestions?
Thx!
This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Please note that certain functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.
Scott,
have you had a look into the usage of multistore? Create 2 virtual filers and grant HR admin on theirs and Sales on theres?
Regards,
Andreas
________________________________
From: Reinoud Reynders [mailto:reinoud.reynders@uz.kuleuven.ac.be] Sent: Donnerstag, 11. Oktober 2007 08:31 To: scott.belisle@americas.bnpparibas.com; toasters@mathworks.com Subject: Re: CIFS share creation security question
Hi Scott,
Very difficult question. The only thing what I can see is that you create 2 'root' shares on the 2 volumes.
Than you create 2 DFS (distribute filesystem service from microsoft) trees (it's possible that you need two different windowsservers to separate the access control). Each department has full control on their dfs tree. They can create new shares in dfs, and use always the one root share on the filer as mount-path combined with the correct directories.
It's a 'crazy' idea, but I think this must work.
Good luck,
Reinoud Reynders IT-manager Infrastructure & Operations UZ Leuven Belgium
----- Original Message ----- From: owner-toasters@mathworks.com owner-toasters@mathworks.com To: owner-toasters@mathworks.com owner-toasters@mathworks.com; toasters@mathworks.com toasters@mathworks.com Sent: Wed Oct 10 22:51:31 2007 Subject: CIFS share creation security question
Quick question, is there anyway to allow AD users/groups the ability to create or delete cifs shares on specific volumes, but not others? Say we have an HR and Sales volume on the same filer. Each has their own IT personnel that create shares on each specific volume, but not each other's. Right now they are in the local admin group so they can theoretically do whatever they please, but we are looking for a more granular way to lock this down. Any suggestions?
Thx!
This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Please note that certain functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.
-
Kiendl, Andreas -
Reinoud Reynders