Re: Replacing groupname on share permissions

From: Randy Snyder (aggie07_at_austin.rr.com)
Date: 07/25/04 

Date: Sun, 25 Jul 2004 00:09:52 GMT

Al Dunbar [MS-MVP] wrote:

> "Randy Snyder" <aggie07@austin.rr.com> wrote in message
> news:sFBMc.25830$pR5.19229@fe2.texas.rr.com...
>
>>I am needing to change the share level permission where GroupA replaces
>>GroupB. Has anyone done this? Can you point me in the right location. I
>>have looked at Win32_Share for WMI and it doesn't have this functionality.
>
>
> IMHO, the replacement of group with another in an ACL is not an elemental
> operation. What you need to do is to create a new ACL to give groupA the
> required access, and then revoke the access of GroupB. I suppose you could
> create your own function to simulate this, i.e.:
>
> function permreplace(object, oldgroup, newgroup)
> for each acl on object that oldgroup has
> create a similar acl for newgroup
> revoke the acl for oldgroup
> next
> end function
>
> I think, though, that this would imply a poorly thought out permissions
> management strategy. Better to have a single group given access to the
> share, and populate that group with whatever other groups need access.
> Changing permissions is generally something that should be done when the
> resource is created, and as infrequently as possible thereafter.
>
> /Al
>
>
Thank you for your response; however, the issue not one of poorly
managed access models, but is the poorly designed security which
Microsoft built in to it's Windows platform. I am looking for a way to
remove the Everyone group, which is added to share permissions by
default, from a large number of shares (thousands of shares) and replace
it with authenticated users. If Microsoft has a method to do this, I'd
like to hear it.

Relevant Pages

  • Re: Conflicting AD groups
    ... So if a Windows User1 is a member of GroupA and GroupB and SQL Server creates a login for both GroupA and GroupB, the User1 will be able to connect and will have the permissions of both. ...
    (microsoft.public.sqlserver.security)
  • Re: Everyone take ownership
    ... I change its permissions so only GROUPA and ... > in GROUPA or GROUPB can claim Ownership of the folder. ... Looks like the permission is inherited from the parent folder. ...
    (microsoft.public.win2000.security)
  • Re: Forcing Refresh of Credentials
    ... just to update the access tokens in place. ... > permissions to a particular share. ... > However, if an administrator adds you to GroupB, and GroupB has Full ...
    (microsoft.public.windows.server.general)
  • Re: Replacing groupname on share permissions
    ... the replacement of group with another in an ACL is not an elemental ... What you need to do is to create a new ACL to give groupA the ... and then revoke the access of GroupB. ... Changing permissions is generally something that should be done when the ...
    (microsoft.public.scripting.wsh)
  • Re: removing user from domain users group doesnt help
    ... What I would do is to give that global group deny access this computer from ... only access shares on that server. ... give that group deny permissions for other shares on that server. ...
    (microsoft.public.windows.server.security)