Re: can't get access to disk share when connecting from a remote s
From: jong (jong_at_discussions.microsoft.com)
Date: 01/07/05
- Next message: Stephen Fralich: "Re: netsh and DHCP server"
- Previous message: Michael Harris \(MVP\): "Re: Remove environment variable"
- In reply to: Al Dunbar [MS-MVP]: "Re: can't get access to disk share when connecting from a remote s"
- Next in thread: Al Dunbar [MS-MVP]: "Re: can't get access to disk share when connecting from a remote s"
- Reply: Al Dunbar [MS-MVP]: "Re: can't get access to disk share when connecting from a remote s"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 7 Jan 2005 14:35:02 -0800
this is for use in a mfg line environment where systems running XP roll down
an assembly line. The systems are DUTs (device under test). The XP image is
restored from a 'golden drive' drive image that I don't control. When the
systems are powered up for the first time I want to run a script that will
change the system name to a pre-defined 'bench' name, and create a 'share'
for each of the drives within the system (c: d: and v:). After rebooting and
logging in the system is then 'tested' by a test system. Part of this test
system is a PC that needs to read and write files on the 'DUT'.
Everything in the scripts work except the file permissions below the shares
on the DUT, which got me to this usergroup. I can have my technicians setup
the shares on the DUTs manually, after they run my rename script, but I would
rather not have to rely on that many more 'manual' steps.
I hope that sheds more light on my situation. If it were just setting
permissions on a server I would never have gone down this path.
at any rate the script that I included in this original post 'seemed' to set
everything correctly if I was to go off of the GUI that is displayed from
explorer when you right-click a drive, and view the security & sharing...the
'let network users change my files' checkbox is checked....but as you know
this really is not the case. However if I un-check and then re-check this
the file permissions are then 'reset' (or perhaps set for the first time) and
everything works fine. I still think that this is the key to this whole
thing.
I know that I am not the first person to do this type of thing, so there
must be something that I am missing.
anyway, do you have any ideas as to where I can look further, or where I
might ask someone else?
Please let me know, and thanks again for your help.
"Al Dunbar [MS-MVP]" wrote:
>
> "jong" <jong@discussions.microsoft.com> wrote in message
> news:42C0A8E4-8CA2-45FF-AAAE-6DD859D95F26@microsoft.com...
> > OK, since my script below just sets the permissions for mounting the
> share,
>
> Although I do not know offhand what the various values of FILE_SHARE mean or
> what that particular parameter means to the .create method, I suspect that
> the "permissions" being assigned are simply defaulting to some setting,
> likely full access to everyone, which, as I said earlier, makes the most
> sense.
>
> > and not the files within, or below the shared drive, can you, or someone
> help
> > me put together a script that will set the permissions for all files on
> that
> > share?
>
> Do you need a script, or do you just need to set the permissions on the
> underlying NTFS files and folders as required for the use you have in mind?
> If you feel you need to script it, then the simplest way (IMHO) would be to
> use CACLS.EXE. Setting up NTFS permissions at a lower level from within
> script using ADsSecurity.dll is not for the faint of heart.
>
> > I need to be able to read/write the files below that share when it is
> > mapped to a drive letter 'from' another.
>
> Then set the NTFS permissions such that those accounts that need this access
> to the files located there have it.
>
> > Maybe an easier script is one that will mount the C$ administrative share
> on
> > a remote machine to a local drive letter?
>
> That should work assuming your account has the access required to map to
> admin shares. But you still need to have the NTFS permissions setup to allow
> for the access you require.
>
>
> /Al
>
>
> > Anyway help if you can...
> >
> > "Al Dunbar [MS-MVP]" wrote:
> >
> > >
> > > "jong" <jong@discussions.microsoft.com> wrote in message
> > > news:06E95FE2-5D40-4C92-AED7-F42D3883D806@microsoft.com...
> > > > Hi Al,
> > > >
> > > > I will keep my responses up here in order to keep things readable &
> > > > collected.
> > > >
> > > > When I am connecting to the shares created by the script I always
> connect
> > > > with the admin username and password of the system that the shares are
> on;
> > > > not the admin account of the local system.
> > >
> > > That seems right. Assuming that the share is permitted read/write/full
> > > access to the administrator account on that workstation, then that
> > > connection (I assume you mean you have mapped the share to a drive
> letter)
> > > should allow access to all files and subfolders, at least as allowed by
> the
> > > NTFS permissions on the files and folders themselves.
> > >
> > > > as for your comment about placement of the password in the net use cmd
> > > below
> > > > I cannot do that as the syntax would then be incorrect, and the cmd
> would
> > > > fail to execute.
> > >
> > > OK.
> > >
> > > > for the c$, d$, v$ administrative shares do you have any reason as to
> why
> > > I
> > > > cannot mount these using that system's admin username and password?
> > >
> > > I have no idea why that would be the case.
> > >
> > > > As I
> > > > said before I never had a problem with this until I moved my systems
> to
> > > winXP.
> > >
> > > What were you running before, w2k, nt4, or 9x?
> > >
> > > > a new question that I have is 'should' my original script provide
> > > read/write
> > > > access to the shares by default when I connect with the FILE_SHARE
> > > constant
> > > > set to zero (0).
> > >
> > > I do not recall what the zero means, but you should be able to examine
> the
> > > share directly on the workstation using compmgmt.msc to determine if the
> > > result is as you want it.
> > >
> > > > I assume that this would be true since the 'allow network users to
> change
> > > my
> > > > files' checkbox is checked after I run the script. As I said in my
> > > original
> > > > message everthing will work as expected if I 'toggle' this checkbox
> after
> > > the
> > > > script has been run (un-check it, and then re-check it) since it
> forces
> > > the
> > > > permissions to be reset. To me this seems to be the key to the whole
> > > > issue...it is like this permission doesn't get propigated to all of
> the
> > > > folders & files below each of the drives. Can anybody comment on
> this?
> > >
> > > Seems odd. But do not expect permissions applied to the share by script
> > > (i.e. not the folder being shared, but the share itself) to replicate to
> > > subfolders. I do not know if that replication would be done through the
> GUI
> > > tools, but I do not think it should -- unless perhaps you are running XP
> > > Home, which tends to simplify/dumb-down the security side of things to
> make
> > > administration easier for non-technical types.
> > >
> > > In my environment, we give ALL users FULL access to ALL shares. In the
> > > likely event that permissions need to be somewhat more restricted than
> that,
> > > we do all of our permission management at the NTFS level.
> > >
> > > > Is there another 'MVP' that can help with this since you admit to not
> > > having
> > > > much experience with this? Nothing personal, and I thank you for the
> help
> > > so
> > > > far, but I really need to get some understanding here.
> > >
> > > You need not worry about my taking your above comment personally. I have
> > > provided what info I can, knowing it was incomplete to your problem, and
> it
> > > is obvious from what you have said that you appreciate the attempt.
> > >
> > > As to other MVP's who might have more to say in the area, I do not know
> any
> > > of them that well -- it would be up to them to step forward and comment
> > > further. Perhaps lots of them are still in the festive mood and have not
> > > come back down to newsgroup earth following their celebrations... ;-)
> > >
> > > /Al
> > >
> > > >
> > > >
> > > >
> > > >
> > > > "Al Dunbar [MS-MVP]" wrote:
> > > >
> > > > >
> > > > > "jong" <jong@discussions.microsoft.com> wrote in message
> > > > > news:0B97F346-183E-40C9-AF1D-BF64F32B7318@microsoft.com...
> > > > > > Al,
> > > > > >
> > > > > > As I noted in this post I am connecting as the local
> administrator,
> > > but
> > > > > > still don't get permission to access anything below the folders.
> > > > >
> > > > > I also just noticed that you mention the computer as belonging to a
> > > > > workgroup, a networking environment I have little experience with...
> > > > >
> > > > > > I have
> > > > > > tried to access c$...as you noted, but when I try to connect to
> these
> > > > > shares
> > > > > > I always get an access denied error, so I cannot get the shares to
> > > mount
> > > > > on
> > > > > > the remote system.
> > > > >
> > > > > The administrator account on one system will not automatically have
> > > access
> > > > > to folders on another just because it is an administrator account
> > > elsewhere.
> > > > >
> > > > > > I never had that problem till we rolled to windows XP.
> > > > > > At any rate I am always mounting using the administrator
> user/pass.
> > > > >
> > > > > When logged on at computer AAAA and attempting to map to shares on
> > > computer
> > > > > BBBB, which administrator account do you provide the credentials
> for,
> > > the
> > > > > one on AAAA or the one on BBBB?
> > > > >
> > > > > > I have
> > > > > > even tried using the <remoteSystemName> with the administrator
> > > username
> > > > > but
> > > > > > that has not helped. Example:
> > > > > >
> > > > > > net use x: \\<remoteSystem>\c$ <remoteSystemPassword>
> > > > > > /user:<remoteSystemName>\administrator
> > > > >
> > > > > Assuming that "remoteSystemName" is the name of the system whose
> shares
> > > you
> > > > > want to map, you might want to place the password *after* the /user
> > > > > parameter.
> > > > >
> > > > > > Anymore ideas? Any ideas why the c$, d$, or v$ administrative
> shares
> > > are
> > > > > > being blocked?
> > > > >
> > > > > I believe that, by default, these admin shares are not available to
> all
> > > > > users.
> > > > >
> > > > > /Al
> > > > >
> > > > > > "Al Dunbar [MS-MVP]" wrote:
> > > > > >
> > > > > > >
> > > > > > > "jong" <jong@discussions.microsoft.com> wrote in message
> > > > > > > news:AE4CE427-6033-49AA-9DA7-CD85B99A2C06@microsoft.com...
> > > > > > > > I hope that you can help me out. I have adapted some code to
> > > create a
> > > > > > > script
> > > > > > > > that will share three drives on a local computer. The script
> > > executes
> > > > > OK,
> > > > > > > > and the shares 'seem' to be setup correctly, but when they are
> > > > > connected
> > > > > > > 'to'
> > > > > > > > from a remote system I cannot access any folders below them
> > > outside of
> > > > > a
> > > > > > > few
> > > > > > > > below the 'Documents and Settings'. If I vew the share
> properties
> > > on
> > > > > the
> > > > > > > > system via explorer they indicate they correct. The only way
> that
> > > I
> > > > > can
> > > > > > > get
> > > > > > > > full access to folders is if I disable & re-enable the "allow
> > > network
> > > > > > > users
> > > > > > > > to change my files" checkbox. After doing that the
> permissions
> > > are
> > > > > reset
> > > > > > > and
> > > > > > > > access is fine from the remote system.
> > > > > > >
> > > > > > > You seem to be sharing out local drives C:, D:, and V: with
> > > sharenames
> > > > > of c,
> > > > > > > d, and v, respectively. These should already be shared out as
> c$,
> > > d$,
> > > > > and
> > > > > > > v$, so it is not clear why you are adding the additional
> redundant
> > > > > > > sharenames.
> > > > > > >
> > > > > > > But, aside from that, I think the problem is that you migth be
> > > > > connecting to
> > > > > > > these shares with an account that lacks sufficient privileges to
> get
> > > > > past
> > > > > > > the NTFS permissions on the folders in question.
> > > > > > >
> > > > > > > /Al
> > > > > > >
> > > > > > > > I have tried running the two scripts noted below, but they did
> not
> > > > > resolve
> > > > > > > > the issue either:
> > > > > > > >
> > > > > > > > From: Max L. Vaughn (maxvonl...@microsoft.com)
> > > > > > > > Subject: RE: Add User to sharefolder
> > > > > > > > Newsgroups: microsoft.public.platformsdk.adsi
> > > > > > > > Date: 2001-11-16 14:01:51 PST
> > > > > > > > http://groups.google.com/groups?selm=ejzoroubBHA.253%
> > > > > > > > 40cppssbbsa01.microsoft.com
> > > > > > > >
> > > > > > > > From: [MS] Tim Chen (timchen2...@hotmail.com)
> > > > > > > > Subject: Re: Folder Security
> > > > > > > > Newsgroups: microsoft.public.win32.programmer.wmi
> > > > > > > > Date: 2002-06-13 13:06:05 PST
> > > > > > > >
> > > > >
> http://groups.google.com/groups?selm=3d08f9d7%241%40news.microsoft.com
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > The computer that has this script run on it is part of a
> > > workgroup.
> > > > > The
> > > > > > > > share is being mounted on the remote computer using the
> "shared
> > > > > computer'
> > > > > > > s"
> > > > > > > > administrator username and password.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Anyway I will continue to search, but it sure would be nice to
> get
> > > > > some
> > > > > > > help.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > '
> > > > > > > >
> > > > > > > > strFileName = "sharedrives.vbs"
> > > > > > > >
> > > > > > > > strScriptVersion = "1.0"
> > > > > > > >
> > > > > > > > '
> > > > > > > >
> > > > > > > > ' COMMENT:
> > > > > > > >
> > > > > > > > ' This script will share system drives c, d, and v.
> > > > > > > >
> > > > > > > > '
> > > > > > > >
> > > > > > > > '
> > > > > > > >
> > > > > > > > '
> > > > > > > >
> > > > > > > > '
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > >
> > >
> '==========================================================================
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Error Resume Next
> > > > > > > >
> > > > > > > > 'dump script name and version info
> > > > > > > >
> > > > > > > > WScript.Echo "FileName: " & strFileName &vbCrLf & "Version: "
> &
> > > > > > > > strScriptVersion &vbCrLf
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 'define vars
> > > > > > > >
> > > > > > > > Dim strComputer
> > > > > > > >
> > > > > > > > Dim intTotalErrors
> > > > > > > >
> > > > > > > > Dim strShareFolder
> > > > > > > >
> > > > > > > > Dim strShareName
> > > > > > > >
> > > > > > > > Dim strShareDescription
> > > > > > > >
> > > > > > > > Dim objWMIService
> > > > > > > >
> > > > > > > > Dim objNewShare
> > > > > > > >
> > > > > > > > Const FILE_SHARE = 0
> > > > > > > >
> > > > > > > > Const MAXIMUM_CONNECTIONS = 25
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 'set strComputer to local computer
> > > > > > > >
> > > > > > > > strComputer = "."
> > > > > > > >
> > > > > > > > intTotalErrors = 0
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 'use GetObject to connect to the WMI cimv2 namespace on the
> local
> > > > > computer
> > > > > > > >
> > > > > > > > Set objWMIService = GetObject("winmgmts:" _
> > > > > > > >
> > > > > > > > & "{impersonationLevel=impersonate}!\\" & strComputer &
> > > > > "\root\cimv2")
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 'create an instace of the win32_share object
> > > > > > > >
> > > > > > > > Set objNewShare = objWMIService.Get("Win32_Share")
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 'Use the Create method to create the system root share, and
> trap
> > > any
> > > > > > > errors.
> > > > > > > > The create method is passed the following parameter values:
> > > > > > > >
> > > > > > > > strShareFolder = "C:\" '
> areFolder -
> > > > > Local
> > > > > > > path
> > > > > > > > of the folder being shared.
> > > > > > > >
> > > > > > > > strShareName = "c" '
> eName -
> > > > > Network
> > > > > > > > name to be assigned to the new share.
> > > > > > > >
> > > > > > > > '
> E -
> > > > > Constant
> > > > > > > > indicating that the new share is a standard network file
> share.
> > > > > > > >
> > > > > > > > '
> MAXIMUM_CONNECTIONS -
> > > > > Constant
> > > > > > > > setting the maximum number of simultaneous connections
> > > > > > > >
> > > > > > > > ' to the new share
> to
> > > 25.
> > > > > > > >
> > > > > > > > strShareDescription = "system root share" '
> strShareDescription -
> > > > > > > > Description available to users accessing the share through
> Network
> > > > > > > > Neighborhood.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > errReturn = objNewShare.Create (strShareFolder, strShareName,
> > > > > FILE_SHARE,
> > > > > > > > MAXIMUM_CONNECTIONS, strShareDescription)
> > > > > > > >
> > > > > > > > intTotalErrors = intTotalErrors + errReturn
> > > > > > > >
> > > > > > > > If intTotalErrors <> 0 Then
> > > > > > > >
> > > > > > > > Wscript.Echo strProcess & " sharedrives FAILED!" &
> vbCrLf _
> > > > > > > >
> > > > > > > > & "Contact Test Engineering before
> continuing
> > > on."
> > > > > > > >
> > > > > > > > End If
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 'Use the Create method to create the system data share, and
> trap
> > > any
> > > > > > > errors.
> > > > > > > > The create method is passed the following parameter values:
> > > > > > > >
> > > > > > > > strShareFolder = "D:\" '
> areFolder -
> > > > > Local
> > > > > > > path
> > > > > > > > of the folder being shared.
> > > > > > > >
> > > > > > > > strShareName = "d" '
> eName -
> > > > > Network
> > > > > > > > name to be assigned to the new share.
> > > > > > > >
> > > > > > > > '
> E -
> > > > > Constant
> > > > > > > > indicating that the new share is a standard network file
> share.
> > > > > > > >
> > > > > > > > '
> MAXIMUM_CONNECTIONS -
> > > > > Constant
> > > > > > > > setting the maximum number of simultaneous connections
> > > > > > > >
> > > > > > > > ' to the new share
> to
> > > 25.
> > > > > > > >
> > > > > > > > strShareDescription = "system data share" '
> strShareDescription -
> > > > > > > > Description available to users accessing the share through
> Network
> > > > > > > > Neighborhood.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > errReturn = objNewShare.Create (strShareFolder, strShareName,
> > > > > FILE_SHARE,
> > > > > > > > MAXIMUM_CONNECTIONS, strShareDescription)
> > > > > > > >
> > > > > > > > intTotalErrors = intTotalErrors + errReturn
> > > > > > > >
> > > > > > > > If intTotalErrors <> 0 Then
> > > > > > > >
> > > > > > > > Wscript.Echo strProcess & " sharedrives FAILED!" &
> vbCrLf _
> > > > > > > >
> > > > > > > > & "Contact Test Engineering before
> continuing
> > > on."
> > > > > > > >
> > > > > > > > End If
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 'Use the Create method to create the system video share, and
> trap
> > > any
> > > > > > > > errors. The create method is passed the following parameter
> > > values:
> > > > > > > >
> > > > > > > > strShareFolder = "V:\" '
> areFolder -
> > > > > Local
> > > > > > > path
> > > > > > > > of the folder being shared.
> > > > > > > >
> > > > > > > > strShareName = "v" '
> eName -
> > > > > Network
> > > > > > > > name to be assigned to the new share.
> > > > > > > >
> > > > > > > > '
> E -
> > > > > Constant
> > > > > > > > indicating that the new share is a standard network file
> share.
> > > > > > > >
> > > > > > > > '
> MAXIMUM_CONNECTIONS -
> > > > > Constant
> > > > > > > > setting the maximum number of simultaneous connections
> > > > > > > >
> > > > > > > > ' to the new share
> to
> > > 25.
> > > > > > > >
> > > > > > > > strShareDescription = "system video share" '
> > > trShareDescription -
> > > > > > > > Description available to users accessing the share through
> Network
> > > > > > > > Neighborhood.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > errReturn = objNewShare.Create (strShareFolder, strShareName,
> > > > > FILE_SHARE,
> > > > > > > > MAXIMUM_CONNECTIONS, strShareDescription)
> > > > > > > >
> > > > > > > > intTotalErrors = intTotalErrors + errReturn
> > > > > > > >
> > > > > > > > If intTotalErrors <> 0 Then
> > > > > > > >
> > > > > > > > Wscript.Echo strProcess & " sharedrives FAILED!" &
> vbCrLf _
> > > > > > > >
> > > > > > > > & "Contact Test Engineering before
> continuing
> > > on."
> > > > > > > >
> > > > > > > > End If
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > WScript.Quit intTotalErrors
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ' Network Share Return Values
> > > > > > > >
> > > > > > > > '
> > > > > > > >
> > > > > > > > ' Value Description
> > > > > > > >
> > > > > > > > ' 0 The operation completed successfully.
> > > > > > > >
> > > > > > > > ' 2 The operation could not be completed because access was
> > > denied.
> > > > > > > >
> > > > > > > > ' 8 The operation could not be completed because of an unknown
> > > > > problem.
> > > > > > > >
> > > > > > > > ' 9 The operation could not be completed because an invalid
> name
> > > was
> > > > > > > > specified.
> > > > > > > >
> > > > > > > > ' 10 The operation could not be completed because an invalid
> level
> > > was
> > > > > > > > specified.
> > > > > > > >
> > > > > > > > ' 21 The operation could not be completed because an invalid
> > > parameter
> > > > > was
> > > > > > > > specified.
> > > > > > > >
> > > > > > > > ' 22 The operation could not be completed because a share by
> this
> > > name
> > > > > > > > already exists.
> > > > > > > >
> > > > > > > > ' 23 The operation could not be completed because this is a
> > > redirected
> > > > > > > path.
> > > > > > > >
> > > > > > > > ' 24 The operation could not be completed because the
> specified
> > > folder
> > > > > > > could
> > > > > > > > not be found.
> > > > > > > >
> > > > > > > > ' 25 The operation could not be completed because the
> specified
> > > server
> > > > > > > could
> > > > > > > > not be found.
> > > > > > > >
> > > > > > > > ' Other The operation could not be completed.
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
> > >
>
>
>
- Next message: Stephen Fralich: "Re: netsh and DHCP server"
- Previous message: Michael Harris \(MVP\): "Re: Remove environment variable"
- In reply to: Al Dunbar [MS-MVP]: "Re: can't get access to disk share when connecting from a remote s"
- Next in thread: Al Dunbar [MS-MVP]: "Re: can't get access to disk share when connecting from a remote s"
- Reply: Al Dunbar [MS-MVP]: "Re: can't get access to disk share when connecting from a remote s"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
