PDA

View Full Version : Create Share - Add/Remove Shared Resource



NewsArchive
11-05-2009, 02:48 AM
Using Add/Remove Shared Resource to create a share under our server install
folder which will contain the client exe.

Is there a way to make this folder hidden? (This may not be necessary...
haven't decided yet...)

Is there a way to set permissions on the share? (I would really like
EVERYONE to have only ReadOnly, rather than Read/Write)

Thanks,
-Glenn.

NewsArchive
11-05-2009, 02:48 AM
I don't know offhand about making the folder hidden (there is a SB script
function to mark files as hidden).

To make a share hidden in Windows, just use a $ at the end of the share name
(i.e., MyShare$)

As for setting permissions for EVERYONE (and allowing for non-English
distributions), look in the "Learning SetupBuilder Part 1" CHM file that
installs with the examples - particularly the section called "SetupBuilder
and SIDs - Setting Permissions". On networks, my preference is to have
Share permissions at FULL CONTROL for everyone, and to rely on NTFS
permissions to control access.

HTH

Jane

NewsArchive
11-06-2009, 02:53 AM
Jane, I am ashamed to say, I had never looked at this CHM.
TONS of good information! especially on Vista stuff and Windows 7 (I spent
several hours in here last night and this morning).

A read over the section you referenced, and don't believe this is what I am
looking for, unless I missed something.
I want to set the SHARE permissions for this folder, not the local
permissions.

I agree with your statement below, and for the most part, I just create
folders, and let them inherit permissions from the parent folder.
However, when I share the client folder, I don't want network users to be
able to write to it, or change anything I put in there, for that matter.

So, did I miss something? Or were we just on different pages?

Thanks,
-Glenn.

NewsArchive
11-06-2009, 02:55 AM
Glenn,

As I said, I tend to leave share permissions at Full Control and to regulate
access using NTFS permissions.

I realize that many developers don't realize how those sets of permissions
interact.

Share permissions impact ONLY users connecting by network.
NTFS permissions (the tab called "security" on file or folder properties)
affect local AND network users.

For network users, permissions are combined.
- A user's NTFS permissions are added together (whatever he may have
individually or from whatever groups he belongs to).
- A user's Share permissions are added together the same way.
- Then share and NTFS permissions are combined - where the *least access*
(most restrictive) will prevail.
- "No access" overrides any other permissions

For example
Jane has Full Control Share permissions and Read NTFS permissions.
She will have Read-only access, regardless of whether she's sitting at the
machine or connecting over a network.

Judy has Read Share permissions and Full Control NTFS permissions.
She will have read-only access connecting over the network, but full control
when she's sitting at the machine.

Friedrich is a member of the Sales group and the Accounting group.
The Accounting group has Change Share permissions and Modify NTFS
permissions
The Sales group has Read-only Share permissions and Full Control NTFS
permissions.
Sitting at the computer, Friedrich will have Full Control. Only NTFS
permissions apply sitting at the computer, and adding his NTFS permissions
from his various groups gives Full Control

Over the network, Friedrich will have Change (modify).
He has Full Control NTFS permissions, and adding his Share permissions
together gives him Change at the Share level.
Combining Share and NTFS permissions (with the more restrictive prevailing),
he has Change permissions connecting over the network.

If you need to give people lesser access over the network than they'd have
sitting at the machine, then you do need to manipulate Share permissions. I
don't know how to do that within SB other than using the command-line to
issue a NET SHARE command.

Jane

NewsArchive
11-06-2009, 02:57 AM
Thanks, Jane.
I am beginning to understand where you are going.
I am a bit "old school", and a bit "sledge hammer", but I am looking into
the config you recommend below.
For now, to get this out the door, I will be using RMTSHARE from MS to do
Everyone/ReadOnly.
I will need to spend some time researching the rest to make sure it is
handled properly.

fwiw, RMTSHARE.exe is public domain from MS, single file, and works well via
command line, if anyone else needs it.
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/RMTSHAR.EXE

Glenn Paschal