IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Yes.
Oh, you want to know how?

There are three concepts about which you need to read: Share level permissions vs User level permissions, Enterprise Admins vs Domain Admins vs Local Admins, and Administrators vs Server Operators.
qts
New Share vs File perms
I never bother with share perms. I just set Everyone to Full Control and leave it at that.

I then proceed to lock the filesystem down with file permissions. This gives you much greater flexibility.

Trying to work out what the effective result of a combination of share permissions and file permissions is a recipe for a headache.


Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
New Re: Share vs File perms
The only problem with that approach is that one generates a shitload of NBT traffic, and a sort of "hack me" advertisement.

And what were we saying about NT's user context? This is a rather dramatic illustration of the compromises.

-drl
New What?
NetBIOS traffic? Whatchootalkinboutwillis?

And it's not a "hack me" advertisement; one doesn't use SMB to share resources on an untrusted network (say, for example, the Internet).


Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home Page - Now with added Zing!]
New Re: What?
Computers with shares to "Everyone" get included in NBT broadcast (browse) lists all over. If you set permissions on a share, you can restrict it to being advertised to a local workgroup or a single domain. If there are thousands of computers in a complex domain structure with a default "Everyone" share being advertised (e.g. a local printer), it's easy to generate a shitload of NBT traffic. I don't know if a pure AD setup had this problem but I suspect AD comes after for compatibility reasons.
-drl
New All computers get included in browse lists...
...and no, you can't restrict where a share gets advertised to. Sorry.


Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home Page - Now with added Zing!]
New Seen with own eyes
Company had a large complex domain structure for NT 4 network. Workstations all (clone) installed with a "DATA" share by accident. Getting a net neighborhood to pop up took forever - the data shares were all removed (SMS script) and browsing went to normal.

Yes, you'll always all computers in a browse list, but that is a different matter (WINS). To see what I am talking about, try to connect to a printer on some remote domain to which you can authenticate. After a couple of seconds of thinking, you'll see a list of only those computers that have advertised printers. WINS will trade its list of machines with other WINS servers, but advertised shares stop at the domain unless otherwise instructed (at the "domain master browser"). This is called "m-mode" resolution - the local domain controller is asked about remote shares instead of contacting the remote controller on the domain where the share lives - that is, leave it up to local WINS and the domain trusts. Basically, NetBIOS name resolution is a complex disaster because unless you explicity tell all the machines how to behave, they all shout at each other constantly.

NetBIOS is not routable but NBT is, because it is encapsulated in IP (we've had this argument before). The issue is WINS, not routability.
-drl
New You're making it up.

Table 9.1 NetBIOS Node Types

\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
Node TypeDescription
B-node (broadcast)B-node uses broadcast NetBIOS name queries for name registration and resolution. B-node has two major problems: (1) Broadcasts disturb every node on the network. (2) Routers typically do not forward broadcasts, so only NetBIOS names on the local network can\r\nbe resolved.
P-node (peer_peer) P-node uses a NetBIOS name server, such as a WINS server, to resolve NetBIOS names. P-node does not use broadcasts; instead, it queries the name server directly.
M-node (mixed)M-node is a combination of B-node and P-node. By default, an M-node functions as a B-node. If an M-node is unable to resolve a name by broadcast, it queries a NetBIOS name server using\r\nP-node.
H-node (hybrid)H-node is a combination of P-node and B-node. By default, an H-node functions as a P-node. If an H-node is unable to resolve a name through the NetBIOS name server, it uses a broadcast to resolve the name.
\r\n

\r\nFrom [link|http://www.microsoft.com/mspress/books/sampchap/4245.asp#5|http://www.microsoft...mpchap/4245.asp#5]\r\n

\r\n

\r\nI'm nobody's fool but mine, Ross :)\r\n



Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home Page - Now with added Zing!]
Expand Edited by pwhysall Jan. 14, 2004, 11:39:10 AM EST
New OK H mode
It's been a while since the NT 3.51 tests :)

In any case you know what I meant, but thanks for going into C-mode:

C mode: When a forumer's memory has holes, Peter will switch into C-mode or "correction" mode, in which vast amounts of MCSE study bits will be searched for terminology :)
-drl
Expand Edited by deSitter Jan. 14, 2004, 01:15:01 PM EST
New Also....
...NBT broadcasts stop at the router.


Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home Page - Now with added Zing!]
New Unless you do - Remote Announce
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey

"Lately, The only thing keeping me from being a
  Serial Killer is my distaste for manual labor."
-- Dilbert Calendar, January 4, 2004
New It's not a compromise
it's an accretion. You can do something at multiple levels. Much like in Unix you can have permissions on the device, and then, after it's mounted, you have permissions individual files in the filesystem.
--

"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"

-- James Lileks
New Grammar Nazi? Depends what the meaning of 'is' is... (new thread)
Created as new thread #135605 titled [link|/forums/render/content/show?contentid=135605|Grammar Nazi? Depends what the meaning of 'is' is...]


   [link|mailto:MyUserId@MyISP.CountryCode|Christian R. Conrad]
(I live in Finland, and my e-mail in-box is at the Saunalahti company.)
You know you're doing good work when you get flamed by an idiot. -- [link|http://www.theregister.co.uk/content/35/34218.html|Andrew Wittbrodt]
     Active Directory for Win2K question - (boxley) - (14)
         Difference between share and security permissions - (Silverlock)
         Yes. - (qstephens) - (12)
             Share vs File perms - (pwhysall) - (11)
                 Re: Share vs File perms - (deSitter) - (9)
                     What? - (pwhysall) - (7)
                         Re: What? - (deSitter) - (6)
                             All computers get included in browse lists... - (pwhysall) - (3)
                                 Seen with own eyes - (deSitter) - (2)
                                     You're making it up. - (pwhysall) - (1)
                                         OK H mode - (deSitter)
                             Also.... - (pwhysall) - (1)
                                 Unless you do - Remote Announce -NT - (folkert)
                     It's not a compromise - (Arkadiy)
                 Grammar Nazi? Depends what the meaning of 'is' is... (new thread) - (CRConrad)

She has not, incidentally, allowed this episode to turn her into an anti-cucumber crusader.
68 ms