|
I would like to set sharing permissions such that a user cannot traverse the folder hierarchy or view the contents of any directory, but CAN read a file if they know exactly what it's called and where it is. So if they want file.txt, they can get it by going directly to \\SERVER\shared\file.txt, but they can't actually look in the "Shared" folder to see any of its contents. Is there a way to apply that kind of fine-tuned permission with commandline or something? If you're using the shared files GUI, the only granularity you have is whether they can "Read" or not, which is an all-or-nothing package.
|
#
?
Sep 18, 2014 21:43
|
|
|
|
| # ? May 29, 2024 14:12 |
|
|
Eikre posted:I would like to set sharing permissions such that a user cannot traverse the folder hierarchy or view the contents of any directory, but CAN read a file if they know exactly what it's called and where it is. So if they want file.txt, they can get it by going directly to \\SERVER\shared\file.txt, but they can't actually look in the "Shared" folder to see any of its contents. Sounds like you're looking for access-based enumeration: http://technet.microsoft.com/en-us/library/cc784710(v=ws.10).aspx
|
|
#
?
Sep 18, 2014 21:45
|
|
|
No, the only thing that ABE does is hide files if they aren't accessible, they don't modify rights at all. You could hide a file by enabling ABE and removing read rights, but then they cannot read the file even if they do know the path. What you are trying to do isn't possible, "read file" and "list folder contents" are the same bit in Windows file rights.
|
|
#
?
Sep 18, 2014 21:53
|
|
|
Yeah it's possible in other systems like Novell, but not in NTFS. Though I haven't tried something like a symlink going to the folder.
|
|
#
?
Sep 18, 2014 22:07
|
|
|
We did that poo poo all the time in Novell and when we went to Microsoft all hell broke loose.
|
|
#
?
Sep 18, 2014 22:09
|
|
|
Eikre posted:I would like to set sharing permissions such that a user cannot traverse the folder hierarchy or view the contents of any directory, but CAN read a file if they know exactly what it's called and where it is. So if they want file.txt, they can get it by going directly to \\SERVER\shared\file.txt, but they can't actually look in the "Shared" folder to see any of its contents. Just create a unique hidden share for every single file.
|
|
#
?
Sep 18, 2014 22:18
|
|
|
CLAM DOWN posted:Sounds like you're looking for access-based enumeration: http://technet.microsoft.com/en-us/library/cc784710(v=ws.10).aspx
|
|
#
?
Sep 18, 2014 22:28
|
|
|
Uh, just remove 'List folder contents' permission? You can still Read files.
|
|
#
?
Sep 18, 2014 22:38
|
|
|
peak debt posted:No, the only thing that ABE does is hide files if they aren't accessible, they don't modify rights at all. You could hide a file by enabling ABE and removing read rights, but then they cannot read the file even if they do know the path. Oh yeah, I misread.
|
|
#
?
Sep 18, 2014 22:47
|
|
|
nexxai posted:Remove "Inherit permissions from object's parent" on the file, set correct read/write permissions on the file, apply. Remove read permissions on the folder. Now they have to use the exact file's path to open it, otherwise they get Access Denied when they try to browse to the folder. Yeah, you're right, that's the way to do it. Now I just have to find the hook to enable my program to manage read/write permissions.
|
|
#
?
Sep 18, 2014 23:20
|
|
|
I wanted to run a GPO issue by you folks and see what you think might be the cause. We have AGPM 4.1 on our GPO server and I'm working on a couple of policies through that. I'm seeing an issue affecting numerous policies where if I generate an HTML report on any of them via AGPM and I look at the links section of the report, the links section will be blank. If I drill down to the actual policy under Group Policy Objects, I can see the OU links there. Our environment has replication across four DCs. Has anyone encountered this issue before? Is it a replication issue or a hosed up AGPM? Or perhaps policies are broken? I'm doing everything correctly (check out, modify, check in, deploy) in AGPM but the reports aren't displaying the proper links information. As an example, I have one policy that has four ADUC accounts under Security Filtering when looking at the actual policy. If I look at the report for that policy in AGPM, it only displays two ADUC accounts. I saw this hotfix but the symptoms don't sound similar and that is for AGPM 4.0. PUBLIC TOILET fucked around with this message at 19:35 on Sep 19, 2014 |
|
#
?
Sep 19, 2014 19:32
|
|
|
This is A stupid user question. I work in a corporate ms env. Got a problem installing Visio through office 365, endless install loop that I wanted to show help desk. Been using cam studio for years, no prob, downloaded and installed, click ok, ok, ok . Turns out this time the installer was loaded. PC speed maximizer, goddam mf. I can get a fresh laptop on Monday and get this one reset, but I need to do some work over the weekend, and need to work on some files from corporate server . How to proceed with caution, but still being able to work? Am I too paranoid when I've turned the thing off from all networking ?
|
|
#
?
Sep 19, 2014 19:45
|
|
|
sofokles posted:This is A stupid user question. I work in a corporate ms env. Got a problem installing Visio through office 365, endless install loop that I wanted to show help desk. Been using cam studio for years, no prob, downloaded and installed, click ok, ok, ok . Turns out this time the installer was loaded. PC speed maximizer, goddam mf. I can get a fresh laptop on Monday and get this one reset, but I need to do some work over the weekend, and need to work on some files from corporate server . How to proceed with caution, but still being able to work? Am I too paranoid when I've turned the thing off from all networking ? PC speed maximizer is most likely not a virus, just some malware. Get back on the network and install malwarebytes anti-malware and clean off the machine. mewse fucked around with this message at 18:20 on Sep 21, 2014 |
|
#
?
Sep 21, 2014 18:06
|
|
|
mewse posted:PC speed maximizer is most likely not a virus, just some malware. Get back on the network and install malwarebytes anti-malware and clean off the machine. Thanks, did a malware scan from a stick and it turned out to be a couple of Trojans in there this time.
|
|
#
?
Sep 22, 2014 17:24
|
|
|
Powershell: Our use of powershell in our 150 server windows shop is growing by leaps and bounds. I am writing about 4 scripts a week as we consolidate common tasks etc. We're looking at writing the top 50 or so functions in to a companynameframework.ps1 flat file on a fileserver and then loading that at the beginning of most all scripts...? 1. Why is this a bad idea 2. How are we supposed to do this? What is the microsoft best practice? I am guessing we need to put these on a sharepoint server as pssnapins? I don't want to store a file on every server and keep it updated, surely there's a way to manage a wealth of powershell scripts across a datacenter without resorting to using chef or puppet, etc?
|
|
#
?
Sep 23, 2014 00:35
|
|
|
Group policy scheduled tasks where the scripts reside on the built in DFS share for active directory? Unless they're in a DMZ of course. e: You could also do desired state configuration.
|
|
#
?
Sep 23, 2014 03:50
|
|
|
I just started a new job and I have a chance to redesign our whole network infrastructure from scratch. The current plan we have goes like this. We have all the hardware already, and use have two internet connections, one cable modem and one fiber. We use the cable for office internet, fiber for the web servers. I personally was thinking of adding a Cisco router and setting it up like this so we can have fault tolerance in case one of our providers goes down.  We are running our website as a storefront, so we are very concerned about security and keeping customer data safe. Would it be worth adding the expense of the Cisco router? Any other suggestions?
|
|
#
?
Sep 23, 2014 19:25
|
|
|
You're adding two single points of failure to your network.
|
|
#
?
Sep 23, 2014 20:09
|
|
|
If you have the two Sonicwalls already why wouldn't you set them up in HA?
|
|
#
?
Sep 23, 2014 20:20
|
|
|
Jeoh posted:You're adding two single points of failure to your network. Thanks Ants posted:If you have the two Sonicwalls already why wouldn't you set them up in HA? I didn't even know this was possible. So have that sitting behind the router and setup a DMZ port on both for servers?
|
|
#
?
Sep 23, 2014 20:24
|
|
|
I think you can even do failover HA, so if you put each of your connections through a switch and connect them up to identical ports on each Sonicwall (e.g. cable in X1, fiber in X2) then you get failover between your connections and an active/standby setup as far as your firewall goes as well. DMZ is just another zone, you've got a lot to play with on a 3600.
|
|
#
?
Sep 23, 2014 20:27
|
|
|
Thanks Ants posted:I think you can even do failover HA, so if you put each of your connections through a switch and connect them up to identical ports on each Sonicwall (e.g. cable in X1, fiber in X2) then you get failover between your connections and an active/standby setup as far as your firewall goes as well. DMZ is just another zone, you've got a lot to play with on a 3600. This will work fine, any sonicwall will be able to handle it, no router is required. Setup an isolated VLAN for one ISP+sonicwalls on one internal switch and put the other ISP+sonicwalls on the second switch, it should be possible to reduce single points of failure to just the handoff from each ISP. If your internal switches are not very good a pair of 5 port netgears would probably work fine too. sanchez fucked around with this message at 20:43 on Sep 23, 2014 |
|
#
?
Sep 23, 2014 20:39
|
|
|
Hadlock posted:Powershell: This is doable, but honestly, I'd rather build a couple of modules and distribute inside of an MSI. Loading that thing remotely will be annoying. Building a module and an installer for it means you can push it out with SCCM or something like that, and you simply do import-module MyModule. you also have less issues with namescape conflicts because you can call your module explicitly (MyModule\get-MyFunction or soemthign along those lines). It also means you can fail gracefully if its not there. plus it's more portable! If you chnage the location of that function script you have to change every script referencing that location. if you just install the module to a module directory, its there forever.
|
|
#
?
Sep 23, 2014 21:44
|
|
|
Tequila25 posted:We are running our website as a storefront, so we are very concerned about security and keeping customer data safe. Would it be worth adding the expense of the Cisco router? Any other suggestions? Why are you hosting this stuff internally? I'd be paying to host this somewhere else, anywhere but in a physical small office.
|
|
#
?
Sep 23, 2014 22:17
|
|
|
Hadlock posted:Powershell: Keep it under source control and use something like oneget
|
|
#
?
Sep 23, 2014 22:29
|
|
|
skipdogg posted:Why are you hosting this stuff internally? I'd be paying to host this somewhere else, anywhere but in a physical small office. Believe me, I'd love to have this stuff hosted in the cloud or at least a colo, but we're not ready to migrate there because of a ton of custom legacy apps we would need to test first, but we need the new network stuff in very soon to restore remote VPN access.
|
|
#
?
Sep 23, 2014 22:30
|
|
|
Ugh, we've got a client with a buttload of laptops that need to go from Windows 7 Pro to Windows 7 Enterprise, and of course they want it done OMG RIGHT NOW. I see there's a godawful stupid registry "hack" (basically changing the version string from "Pro" to "Enterprise") that you can do which then lets you reinstall Windows 7 Enterprise on top of Pro without needing to do a clean install. I normally hate these kinds of things, but I find myself at least considering it. Anyone gone down this road before? I haven't seen anyone say anything about getting the ol' screwjob because of it, but figured I'd ask around.
|
|
#
?
Sep 23, 2014 23:03
|
|
|
Tequila25 posted:I just started a new job and I have a chance to redesign our whole network infrastructure from scratch. The current plan we have goes like this. We have all the hardware already, and use have two internet connections, one cable modem and one fiber. We use the cable for office internet, fiber for the web servers. From scratch? Get rid of all the servers should be first goal, go virtual hosting. Guest WiFi should be a VLAN through the access point and switch to the firewall.
|
|
#
?
Sep 23, 2014 23:59
|
|
|
Zaepho posted:This is doable, but honestly, I'd rather build a couple of modules and distribute inside of an MSI. Loading that thing remotely will be annoying. Building a module and an installer for it means you can push it out with SCCM or something like that, and you simply do import-module MyModule. you also have less issues with namescape conflicts because you can call your module explicitly (MyModule\get-MyFunction or soemthign along those lines). It also means you can fail gracefully if its not there. plus it's more portable! If you chnage the location of that function script you have to change every script referencing that location. if you just install the module to a module directory, its there forever. Ok, this is an acceptable answer that works inside our existing enterprise ecosystem, thank you sir I will take this into consideration. This is the closest thing I've seen to a "microsoft approved" design so far... but surely there's something baked in to powershell for this?
|
|
#
?
Sep 24, 2014 00:53
|
|
|
Can anybody tell me a quick rundown of things to do when setting up a file server on 2012 R2 that will be used primarily by Macs? We are getting a lot of reports of weirdness like people not being able to move files/folders, not being able to rename, etc. and they really aren't reproducible. I just want to know if there is a good guide to setting up a Windows file share to be used by Macs.
|
|
#
?
Sep 24, 2014 03:59
|
|
|
Maneki Neko posted:Ugh, we've got a client with a buttload of laptops that need to go from Windows 7 Pro to Windows 7 Enterprise, and of course they want it done OMG RIGHT NOW. This is a supported scenario with the "Windows Anytime Upgrade," right? I don't know why it would cause problems.
|
|
#
?
Sep 24, 2014 12:40
|
|
|
beejay posted:Can anybody tell me a quick rundown of things to do when setting up a file server on 2012 R2 that will be used primarily by Macs? We are getting a lot of reports of weirdness like people not being able to move files/folders, not being able to rename, etc. and they really aren't reproducible. I just want to know if there is a good guide to setting up a Windows file share to be used by Macs. Depends on the version of the Mac clients. My recommendations: 1) Set up NFS for the share in question or 2) try having the Mac clients connect using CIFS:// instead of SMB:// as the protocol. I've also run Acronis ExtremeZ-IP which is pretty nice, but you're going to be using a third party software and have to rely on that, etc. The big problem is that Apple changed the way SMB works a few years ago in OSX, so you see things like file desynchronization, out of date files, permissions/dates being wrong, etc on Windows shares.
|
|
#
?
Sep 24, 2014 14:46
|
|
|
Thanks. So even on 10.7 and 10.8 cifs is the way to go? I know on 10.9 it solves a lot of problems.
|
|
#
?
Sep 24, 2014 15:03
|
|
|
RICHUNCLEPENNYBAGS posted:This is a supported scenario with the "Windows Anytime Upgrade," right? I don't know why it would cause problems. It is not sadly. 
|
|
#
?
Sep 24, 2014 17:29
|
|
|
I'm looking for "Carbonite but in ~my private cloud~"  in other words: I want a product that automatically backs up selected folders on my users' workstations to my data center over the WAN. I played with Work Folders on 2012R2 for a bit but I'd like something to offer my Mac users as well. Any ideas?The goal is to cover my rear end when VPs save stuff on their local laptop, travel all the time, and then lose the laptop.
|
|
#
?
Sep 24, 2014 20:00
|
|
|
NevergirlsOFFICIAL posted:I'm looking for "Carbonite but in ~my private cloud~"
|
|
#
?
Sep 24, 2014 20:03
|
|
|
Haven't you just described CrashPlan Pro?
|
|
#
?
Sep 24, 2014 20:09
|
|
|
Thanks Ants posted:Haven't you just described CrashPlan Pro? I thought crashplan just backs up to their own servers. I want to back up to MY server.
|
|
#
?
Sep 24, 2014 20:14
|
|
|
nexxai posted:I don't use it myself but I've heard pretty good things about https://www.aerofs.com/ thanks this looks nice!
|
|
#
?
Sep 24, 2014 20:16
|
|
|
|
| # ? May 29, 2024 14:12 |
|
|
NevergirlsOFFICIAL posted:I thought crashplan just backs up to their own servers. I want to back up to MY server. Sorry, missed the e off the end. http://www.code42.com/enterprise/private-cloud.html
|
|
#
?
Sep 24, 2014 20:30
|
|