Group Policy to secure DFS Share

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi All,

Is it possible to use group policy to secure distributed file system shares
on member servers, so that administrators of those servers can only read the
DFS shares, not take ownership of the files or write to them, thus affecting
replication throughout the organization?

Any comments about this or expierences would be appreciated, and I'll buy
you a Starbucks.
--
MCSE: Security, CCNA, A+, Network +, Security+
6 answers Last reply
More about group policy secure share
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi wosully,

    AFAIK, no.

    Administrator can always take ownership.

    br,
    Denis

    "wosully" <wosully@discussions.microsoft.com> wrote in message
    news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
    > Hi All,
    >
    > Is it possible to use group policy to secure distributed file system
    shares
    > on member servers, so that administrators of those servers can only read
    the
    > DFS shares, not take ownership of the files or write to them, thus
    affecting
    > replication throughout the organization?
    >
    > Any comments about this or expierences would be appreciated, and I'll buy
    > you a Starbucks.
    > --
    > MCSE: Security, CCNA, A+, Network +, Security+
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Wouldn't group policy be able to stop a group from taking ownership through
    the File System permissions setting, under Widows settings, security
    settings? It looks like it could, but I don't know if it woould work with
    DFS and if admins really could take ownership then.

    --
    MCSE: Security, CCNA, A+, Network +, Security+


    "Denis Wong @ Hong Kong" wrote:

    > Hi wosully,
    >
    > AFAIK, no.
    >
    > Administrator can always take ownership.
    >
    > br,
    > Denis
    >
    > "wosully" <wosully@discussions.microsoft.com> wrote in message
    > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
    > > Hi All,
    > >
    > > Is it possible to use group policy to secure distributed file system
    > shares
    > > on member servers, so that administrators of those servers can only read
    > the
    > > DFS shares, not take ownership of the files or write to them, thus
    > affecting
    > > replication throughout the organization?
    > >
    > > Any comments about this or expierences would be appreciated, and I'll buy
    > > you a Starbucks.
    > > --
    > > MCSE: Security, CCNA, A+, Network +, Security+
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "wosully" <wosully@discussions.microsoft.com> wrote in message
    news:056CDE2A-9EE2-47D0-A527-30F4D17E894C@microsoft.com...
    > Wouldn't group policy be able to stop a group from taking ownership
    through
    > the File System permissions setting, under Widows settings, security
    > settings? It looks like it could, but I don't know if it woould work with
    > DFS and if admins really could take ownership then.
    >
    > --
    > MCSE: Security, CCNA, A+, Network +, Security+
    >
    >
    > "Denis Wong @ Hong Kong" wrote:
    >
    > > Hi wosully,
    > >
    > > AFAIK, no.
    > >
    > > Administrator can always take ownership.
    > >
    > > br,
    > > Denis
    > >
    > > "wosully" <wosully@discussions.microsoft.com> wrote in message
    > > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
    > > > Hi All,
    > > >
    > > > Is it possible to use group policy to secure distributed file system
    > > shares
    > > > on member servers, so that administrators of those servers can only
    read
    > > the
    > > > DFS shares, not take ownership of the files or write to them, thus
    > > affecting
    > > > replication throughout the organization?
    > > >
    > > > Any comments about this or expierences would be appreciated, and I'll
    buy
    > > > you a Starbucks.
    > > > --
    > > > MCSE: Security, CCNA, A+, Network +, Security+
    > >
    > >
    > >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi,

    Pls point out exactly which policy that stops administrators from taking
    ownership which I am not aware of.

    If administrators cannot take ownership, then you might end up with files
    that no one can access.

    br,
    Denis

    "wosully" <wosully@discussions.microsoft.com> wrote in message
    news:056CDE2A-9EE2-47D0-A527-30F4D17E894C@microsoft.com...
    > Wouldn't group policy be able to stop a group from taking ownership
    through
    > the File System permissions setting, under Widows settings, security
    > settings? It looks like it could, but I don't know if it woould work with
    > DFS and if admins really could take ownership then.
    >
    > --
    > MCSE: Security, CCNA, A+, Network +, Security+
    >
    >
    > "Denis Wong @ Hong Kong" wrote:
    >
    > > Hi wosully,
    > >
    > > AFAIK, no.
    > >
    > > Administrator can always take ownership.
    > >
    > > br,
    > > Denis
    > >
    > > "wosully" <wosully@discussions.microsoft.com> wrote in message
    > > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
    > > > Hi All,
    > > >
    > > > Is it possible to use group policy to secure distributed file system
    > > shares
    > > > on member servers, so that administrators of those servers can only
    read
    > > the
    > > > DFS shares, not take ownership of the files or write to them, thus
    > > affecting
    > > > replication throughout the organization?
    > > >
    > > > Any comments about this or expierences would be appreciated, and I'll
    buy
    > > > you a Starbucks.
    > > > --
    > > > MCSE: Security, CCNA, A+, Network +, Security+
    > >
    > >
    > >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If the issue is of trusting the administrators on a domain to not 'abuse' or
    'misuse' their 'power', then perhaps they should not be administrators?

    Ken

    "Denis Wong @ Hong Kong" <H_O_T_A_P_P_S_@_H_O_T_M_A_I_L_._C_O_M> wrote in
    message news:umAww01hFHA.1788@TK2MSFTNGP12.phx.gbl...
    > Hi,
    >
    > Pls point out exactly which policy that stops administrators from taking
    > ownership which I am not aware of.
    >
    > If administrators cannot take ownership, then you might end up with files
    > that no one can access.
    >
    > br,
    > Denis
    >
    > "wosully" <wosully@discussions.microsoft.com> wrote in message
    > news:056CDE2A-9EE2-47D0-A527-30F4D17E894C@microsoft.com...
    >> Wouldn't group policy be able to stop a group from taking ownership
    > through
    >> the File System permissions setting, under Widows settings, security
    >> settings? It looks like it could, but I don't know if it woould work
    >> with
    >> DFS and if admins really could take ownership then.
    >>
    >> --
    >> MCSE: Security, CCNA, A+, Network +, Security+
    >>
    >>
    >> "Denis Wong @ Hong Kong" wrote:
    >>
    >> > Hi wosully,
    >> >
    >> > AFAIK, no.
    >> >
    >> > Administrator can always take ownership.
    >> >
    >> > br,
    >> > Denis
    >> >
    >> > "wosully" <wosully@discussions.microsoft.com> wrote in message
    >> > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
    >> > > Hi All,
    >> > >
    >> > > Is it possible to use group policy to secure distributed file system
    >> > shares
    >> > > on member servers, so that administrators of those servers can only
    > read
    >> > the
    >> > > DFS shares, not take ownership of the files or write to them, thus
    >> > affecting
    >> > > replication throughout the organization?
    >> > >
    >> > > Any comments about this or expierences would be appreciated, and I'll
    > buy
    >> > > you a Starbucks.
    >> > > --
    >> > > MCSE: Security, CCNA, A+, Network +, Security+
    >> >
    >> >
    >> >
    >
    >
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I have tested and there is NO policy at all that can restrict an individual
    with administrative rights on a computer from taking ownership; however, we
    can set file permissions on the folder through group policy, but the
    individual could still take ownership, change permissions, then, at group
    policy refresh, the file settings are changed back, but the file changes
    would have already taken place.

    I agree that they should be trusted or not be administrators, and this is
    the only policy I support, and will continue to do so.

    These admins are file server admins, but some of them are not knowledgeable
    regarding DFS and the replication consequences of introducing too many files
    tp the DFS system.

    Thanks again for the responses and thoughts.
    --
    MCSE: Security, CCNA, A+, Network +, Security+


    "Ken B" wrote:

    > If the issue is of trusting the administrators on a domain to not 'abuse' or
    > 'misuse' their 'power', then perhaps they should not be administrators?
    >
    > Ken
    >
    > "Denis Wong @ Hong Kong" <H_O_T_A_P_P_S_@_H_O_T_M_A_I_L_._C_O_M> wrote in
    > message news:umAww01hFHA.1788@TK2MSFTNGP12.phx.gbl...
    > > Hi,
    > >
    > > Pls point out exactly which policy that stops administrators from taking
    > > ownership which I am not aware of.
    > >
    > > If administrators cannot take ownership, then you might end up with files
    > > that no one can access.
    > >
    > > br,
    > > Denis
    > >
    > > "wosully" <wosully@discussions.microsoft.com> wrote in message
    > > news:056CDE2A-9EE2-47D0-A527-30F4D17E894C@microsoft.com...
    > >> Wouldn't group policy be able to stop a group from taking ownership
    > > through
    > >> the File System permissions setting, under Widows settings, security
    > >> settings? It looks like it could, but I don't know if it woould work
    > >> with
    > >> DFS and if admins really could take ownership then.
    > >>
    > >> --
    > >> MCSE: Security, CCNA, A+, Network +, Security+
    > >>
    > >>
    > >> "Denis Wong @ Hong Kong" wrote:
    > >>
    > >> > Hi wosully,
    > >> >
    > >> > AFAIK, no.
    > >> >
    > >> > Administrator can always take ownership.
    > >> >
    > >> > br,
    > >> > Denis
    > >> >
    > >> > "wosully" <wosully@discussions.microsoft.com> wrote in message
    > >> > news:543571E6-3366-4A36-B9B3-83A4F1F0A8FD@microsoft.com...
    > >> > > Hi All,
    > >> > >
    > >> > > Is it possible to use group policy to secure distributed file system
    > >> > shares
    > >> > > on member servers, so that administrators of those servers can only
    > > read
    > >> > the
    > >> > > DFS shares, not take ownership of the files or write to them, thus
    > >> > affecting
    > >> > > replication throughout the organization?
    > >> > >
    > >> > > Any comments about this or expierences would be appreciated, and I'll
    > > buy
    > >> > > you a Starbucks.
    > >> > > --
    > >> > > MCSE: Security, CCNA, A+, Network +, Security+
    > >> >
    > >> >
    > >> >
    > >
    > >
    >
    >
    >
Ask a new question

Read More

Policy DFS Servers Windows