Windows 2000/NT Server NTFS Permission Question
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Windows 2000/NT Server NTFS Permission Question

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Windows 2000/NT Server NTFS Permission Question

    The Fact :

    I have a Windows 2000 and 2 NT Server.
    My first NT Server is PDB on C/D Drive and a file server on E Drive.
    My second NT Server is BDC, Print Server on C Drive and File Server on D Drive.
    My Windows 2000 is Mailserver with Exchange 5.5, IIS running (With Lockdown Tool).
    Except administrator, nobody is logging locally or remotly (For Windows 2000) on the machine.

    Question :

    Can I safely reset all the file permission to Admin and System to Full Control for ALL File? That mean taking the C Drive File Permission, changing them so only Admin and System have Full Control and applying them to all child objets.

    I know that I need to do some exception.

    1) Print directory on second NT Server
    2) Exchange Directory on the Mailserver.
    3) IIS Right on a few file (Inetput and Windows/system32)

    Possible or not?
    -Simon \"SDK\"

  2. #2
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    Let me see if I understand you correct, you want to set Administrator and System to have Full Control. This can be done, but if there is other users, make sure they atleast have Read/Execute permissions on the Winnt folder.

  3. #3
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Their is no other user connecting to this server except for PBD or BDC and File Sharing (But I doesn't touch those permission)
    -Simon \"SDK\"

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Can I safely reset all the file permission to Admin and System to Full Control for ALL File? That mean taking the C Drive File Permission, changing them so only Admin and System have Full Control and applying them to all child objets.
    That should all ready be like this? Admin can have full control whenever they want. they just have to take it. Is there any specific reason you want to do this? Is there something you don't have access to now, that you need? or, you just want to do it for shits and giggles?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I want to do for security. I want to remove all users right locally. I have an audit of security telling me some file need better NTFS protection and that I need to change them. But why should I bother removing users group from a few file when I can remove their access to all file since they aren't logging on the server.
    -Simon \"SDK\"

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Oh, I see what you are saying. Sorry. I'm sick and on 4 different cold/alergy medicines.
    Didn't quite understand at first.

    You can remove everyone else, that should be fine. (do it on a test box first)
    I wouldn't mess too much with the system or admin permissions though.

    Tweak them those you need to.

    Make sure that you leave the permissions for the annonymous internet user account and such if you are using them, etc. If you are running services as other users, then those users will need access to the files used by those services.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Most service using special account are under the local administrator group so..

    So it possible, you allready done that?
    -Simon \"SDK\"

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Yes, I do that for all my boxes. Then strict permissions on groups/users per shares (if there are any).

    Generally, I remove all local accounts and make everyone use domain accounts.
    I only keep the admin acct (renamed) and remove everyone else from the FS permissions too.

    Do it on a test box first though. You don't want to screw up a real server.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    ok! Thank for info!
    Any nobody else try that?
    -Simon \"SDK\"

  10. #10
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    If you are going to have domain accts log into that box, be sure to set appropriate permissions for that too.

    But, since you said that only admin and system are going to be using it. You *should* be fine.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •