Sign in with
Sign up | Sign in
Your question

Group Policy to secure DFS Share

Last response: in Windows 2000/NT
Share
Anonymous
July 11, 2005 11:03:03 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi All,

Is it possible to use group policy to secure distributed file system shares
on member servers, so that administrators of those servers can only read the
DFS shares, not take ownership of the files or write to them, thus affecting
replication throughout the organization?

Any comments about this or expierences would be appreciated, and I'll buy
you a Starbucks.
--
MCSE: Security, CCNA, A+, Network +, Security+
Anonymous
July 12, 2005 4:10:47 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi wosully,

AFAIK, no.

Administrator can always take ownership.

br,
Denis

"wosully" <wosully@discussions.microsoft.com> wrote in message
news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
> Hi All,
>
> Is it possible to use group policy to secure distributed file system
shares
> on member servers, so that administrators of those servers can only read
the
> DFS shares, not take ownership of the files or write to them, thus
affecting
> replication throughout the organization?
>
> Any comments about this or expierences would be appreciated, and I'll buy
> you a Starbucks.
> --
> MCSE: Security, CCNA, A+, Network +, Security+
Anonymous
July 12, 2005 4:10:48 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Wouldn't group policy be able to stop a group from taking ownership through
the File System permissions setting, under Widows settings, security
settings? It looks like it could, but I don't know if it woould work with
DFS and if admins really could take ownership then.

--
MCSE: Security, CCNA, A+, Network +, Security+


"Denis Wong @ Hong Kong" wrote:

> Hi wosully,
>
> AFAIK, no.
>
> Administrator can always take ownership.
>
> br,
> Denis
>
> "wosully" <wosully@discussions.microsoft.com> wrote in message
> news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
> > Hi All,
> >
> > Is it possible to use group policy to secure distributed file system
> shares
> > on member servers, so that administrators of those servers can only read
> the
> > DFS shares, not take ownership of the files or write to them, thus
> affecting
> > replication throughout the organization?
> >
> > Any comments about this or expierences would be appreciated, and I'll buy
> > you a Starbucks.
> > --
> > MCSE: Security, CCNA, A+, Network +, Security+
>
>
>
Related resources
Anonymous
July 13, 2005 3:39:51 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"wosully" <wosully@discussions.microsoft.com> wrote in message
news:056CDE2A-9EE2-47D0-A527-30F4D17E894C@microsoft.com...
> Wouldn't group policy be able to stop a group from taking ownership
through
> the File System permissions setting, under Widows settings, security
> settings? It looks like it could, but I don't know if it woould work with
> DFS and if admins really could take ownership then.
>
> --
> MCSE: Security, CCNA, A+, Network +, Security+
>
>
> "Denis Wong @ Hong Kong" wrote:
>
> > Hi wosully,
> >
> > AFAIK, no.
> >
> > Administrator can always take ownership.
> >
> > br,
> > Denis
> >
> > "wosully" <wosully@discussions.microsoft.com> wrote in message
> > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
> > > Hi All,
> > >
> > > Is it possible to use group policy to secure distributed file system
> > shares
> > > on member servers, so that administrators of those servers can only
read
> > the
> > > DFS shares, not take ownership of the files or write to them, thus
> > affecting
> > > replication throughout the organization?
> > >
> > > Any comments about this or expierences would be appreciated, and I'll
buy
> > > you a Starbucks.
> > > --
> > > MCSE: Security, CCNA, A+, Network +, Security+
> >
> >
> >
Anonymous
July 13, 2005 3:41:52 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

Pls point out exactly which policy that stops administrators from taking
ownership which I am not aware of.

If administrators cannot take ownership, then you might end up with files
that no one can access.

br,
Denis

"wosully" <wosully@discussions.microsoft.com> wrote in message
news:056CDE2A-9EE2-47D0-A527-30F4D17E894C@microsoft.com...
> Wouldn't group policy be able to stop a group from taking ownership
through
> the File System permissions setting, under Widows settings, security
> settings? It looks like it could, but I don't know if it woould work with
> DFS and if admins really could take ownership then.
>
> --
> MCSE: Security, CCNA, A+, Network +, Security+
>
>
> "Denis Wong @ Hong Kong" wrote:
>
> > Hi wosully,
> >
> > AFAIK, no.
> >
> > Administrator can always take ownership.
> >
> > br,
> > Denis
> >
> > "wosully" <wosully@discussions.microsoft.com> wrote in message
> > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
> > > Hi All,
> > >
> > > Is it possible to use group policy to secure distributed file system
> > shares
> > > on member servers, so that administrators of those servers can only
read
> > the
> > > DFS shares, not take ownership of the files or write to them, thus
> > affecting
> > > replication throughout the organization?
> > >
> > > Any comments about this or expierences would be appreciated, and I'll
buy
> > > you a Starbucks.
> > > --
> > > MCSE: Security, CCNA, A+, Network +, Security+
> >
> >
> >
Anonymous
July 13, 2005 3:41:53 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

If the issue is of trusting the administrators on a domain to not 'abuse' or
'misuse' their 'power', then perhaps they should not be administrators?

Ken

"Denis Wong @ Hong Kong" <H_O_T_A_P_P_S_@_H_O_T_M_A_I_L_._C_O_M> wrote in
message news:umAww01hFHA.1788@TK2MSFTNGP12.phx.gbl...
> Hi,
>
> Pls point out exactly which policy that stops administrators from taking
> ownership which I am not aware of.
>
> If administrators cannot take ownership, then you might end up with files
> that no one can access.
>
> br,
> Denis
>
> "wosully" <wosully@discussions.microsoft.com> wrote in message
> news:056CDE2A-9EE2-47D0-A527-30F4D17E894C@microsoft.com...
>> Wouldn't group policy be able to stop a group from taking ownership
> through
>> the File System permissions setting, under Widows settings, security
>> settings? It looks like it could, but I don't know if it woould work
>> with
>> DFS and if admins really could take ownership then.
>>
>> --
>> MCSE: Security, CCNA, A+, Network +, Security+
>>
>>
>> "Denis Wong @ Hong Kong" wrote:
>>
>> > Hi wosully,
>> >
>> > AFAIK, no.
>> >
>> > Administrator can always take ownership.
>> >
>> > br,
>> > Denis
>> >
>> > "wosully" <wosully@discussions.microsoft.com> wrote in message
>> > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
>> > > Hi All,
>> > >
>> > > Is it possible to use group policy to secure distributed file system
>> > shares
>> > > on member servers, so that administrators of those servers can only
> read
>> > the
>> > > DFS shares, not take ownership of the files or write to them, thus
>> > affecting
>> > > replication throughout the organization?
>> > >
>> > > Any comments about this or expierences would be appreciated, and I'll
> buy
>> > > you a Starbucks.
>> > > --
>> > > MCSE: Security, CCNA, A+, Network +, Security+
>> >
>> >
>> >
>
>
Anonymous
July 13, 2005 3:41:54 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have tested and there is NO policy at all that can restrict an individual
with administrative rights on a computer from taking ownership; however, we
can set file permissions on the folder through group policy, but the
individual could still take ownership, change permissions, then, at group
policy refresh, the file settings are changed back, but the file changes
would have already taken place.

I agree that they should be trusted or not be administrators, and this is
the only policy I support, and will continue to do so.

These admins are file server admins, but some of them are not knowledgeable
regarding DFS and the replication consequences of introducing too many files
tp the DFS system.

Thanks again for the responses and thoughts.
--
MCSE: Security, CCNA, A+, Network +, Security+


"Ken B" wrote:

> If the issue is of trusting the administrators on a domain to not 'abuse' or
> 'misuse' their 'power', then perhaps they should not be administrators?
>
> Ken
>
> "Denis Wong @ Hong Kong" <H_O_T_A_P_P_S_@_H_O_T_M_A_I_L_._C_O_M> wrote in
> message news:umAww01hFHA.1788@TK2MSFTNGP12.phx.gbl...
> > Hi,
> >
> > Pls point out exactly which policy that stops administrators from taking
> > ownership which I am not aware of.
> >
> > If administrators cannot take ownership, then you might end up with files
> > that no one can access.
> >
> > br,
> > Denis
> >
> > "wosully" <wosully@discussions.microsoft.com> wrote in message
> > news:056CDE2A-9EE2-47D0-A527-30F4D17E894C@microsoft.com...
> >> Wouldn't group policy be able to stop a group from taking ownership
> > through
> >> the File System permissions setting, under Widows settings, security
> >> settings? It looks like it could, but I don't know if it woould work
> >> with
> >> DFS and if admins really could take ownership then.
> >>
> >> --
> >> MCSE: Security, CCNA, A+, Network +, Security+
> >>
> >>
> >> "Denis Wong @ Hong Kong" wrote:
> >>
> >> > Hi wosully,
> >> >
> >> > AFAIK, no.
> >> >
> >> > Administrator can always take ownership.
> >> >
> >> > br,
> >> > Denis
> >> >
> >> > "wosully" <wosully@discussions.microsoft.com> wrote in message
> >> > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
> >> > > Hi All,
> >> > >
> >> > > Is it possible to use group policy to secure distributed file system
> >> > shares
> >> > > on member servers, so that administrators of those servers can only
> > read
> >> > the
> >> > > DFS shares, not take ownership of the files or write to them, thus
> >> > affecting
> >> > > replication throughout the organization?
> >> > >
> >> > > Any comments about this or expierences would be appreciated, and I'll
> > buy
> >> > > you a Starbucks.
> >> > > --
> >> > > MCSE: Security, CCNA, A+, Network +, Security+
> >> >
> >> >
> >> >
> >
> >
>
>
>
!