Folks,
My Unix, or rather, command-line, bias is showing here, so please bear with me. We're running a mixed-security-style filer, OnTAP-5.3.6R2, also testing 6.1R1. Historically, we've done all management of the filer from a Unix admin host, but we do like for our NT admins to be able to set and/or override permissions for our NT users, so we've done the obligatory two-way mapping in usermap.cfg between the Unix "root" account and the NT domain admin account.
In doing so, we've opened what we consider to be a hole in our desired Unix-only management of the filer: It's now possible for our NT admins to create/delete/change shares using Server Manager. We'd really prefer to keep this functionality restricted to a command-line type of interface, so we can keep it under control via scripting, version control, and other types of automation that so far aren't possible using the Windows Server Manager GUI.
So, does anyone know how to disable access to Server Manager, and in particular to the ability to create/change shares, but still preserve the ability to manipulate permissions on behalf of our users (via shares previously setup)? I've seen reference to the magic "IPC$" share, and assume that if I could delete that it would prevent remote management from the Windows systems, but I've yet to find a way to accomplish this.
Advice welcome....
Regards,
So, does anyone know how to disable access to Server Manager,
Remove the "FILERDOMAIN\Domain Admins" global group from the filer's "BUILTIN\Administrators" local group using User Manager for Domains. This will prevent your NT adminstrators from messing with filer shares.
I am almost, but not quite 100% certain that administrative rights to the file system will be unaffected by this (the "Administrators" local group SID is a domain-wide constant if memory serves, so it should still find its way into your NT admin's security tokens via other means), but give it a try.
Keith
Keith Brown wrote:
So, does anyone know how to disable access to Server Manager,
Remove the "FILERDOMAIN\Domain Admins" global group from the filer's "BUILTIN\Administrators" local group using User Manager for Domains. This will prevent your NT adminstrators from messing with filer shares.
That works, after "cifs terminate / cifs restart". One can't even manipulate local groups via "user manager for domains" anymore, which is good. Seth Moskowitz made a good point that there might still be a command-line way around this restriction -- I haven't turned our Windows guys loose on that angle, yet. But see below.
I am almost, but not quite 100% certain that administrative rights to the file system will be unaffected by this (the "Administrators" local group SID is a domain-wide constant if memory serves, so it should still find its way into your NT admin's security tokens via other means), but give it a try.
Darn, now we can't "take ownership" like we used to be able to do, not even from "root" on the Unix side (mixed security-mode). So this approach is not going to work for us, unless there's some modification possible that will give back the filesystem management rights. Good thing I kept a copy of /etc/lclgroups.cfg, eh? Restoring that and restarting cifs gives back the "take ownership" ability.
I don't have enough experience with NTFS permissions to know how/if the following might work, but it I'm wondering if it might be possible to setup some special NT Domain user which has the "override ownership" rights that the normal admin user has, but without being the actual admin user that can manage servers, etc.
Other comments and suggestions are still welcome....
Regards,
"I don't have enough experience with NTFS permissions to know how/if the following might work, but it I'm wondering if it might be possible to setup some special NT Domain user which has the "override ownership" rights that the normal admin user has, but without being the actual admin user that can manage servers, etc."
run nt usrmgr and look in policies|user rights. there are all kinds of things that you can do from there including giving the right to take ownership of files and objects.
Marion Hakanson wrote:
Keith Brown wrote:
So, does anyone know how to disable access to Server Manager,
Remove the "FILERDOMAIN\Domain Admins" global group from the filer's "BUILTIN\Administrators" local group using User Manager for Domains. This will prevent your NT adminstrators from messing with filer shares.
That works, after "cifs terminate / cifs restart". One can't even manipulate local groups via "user manager for domains" anymore, which is good. Seth Moskowitz made a good point that there might still be a command-line way around this restriction -- I haven't turned our Windows guys loose on that angle, yet. But see below.
I am almost, but not quite 100% certain that administrative rights to the file system will be unaffected by this (the "Administrators" local group SID is a domain-wide constant if memory serves, so it should still find its way into your NT admin's security tokens via other means), but give it a try.
Darn, now we can't "take ownership" like we used to be able to do, not even from "root" on the Unix side (mixed security-mode). So this approach is not going to work for us, unless there's some modification possible that will give back the filesystem management rights. Good thing I kept a copy of /etc/lclgroups.cfg, eh? Restoring that and restarting cifs gives back the "take ownership" ability.
I don't have enough experience with NTFS permissions to know how/if the following might work, but it I'm wondering if it might be possible to setup some special NT Domain user which has the "override ownership" rights that the normal admin user has, but without being the actual admin user that can manage servers, etc.
Other comments and suggestions are still welcome....
Regards,
-- Marion Hakanson hakanson@cse.ogi.edu CSE Computing Facilities
-
Keith Brown -
Marion Hakanson -
neil lehrer