|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Netlogon / SysvolHello,
I have Windows 2000 server (Domain Controller) and Windows XP clients. I have certain policies and logon scripts in Sysvol/Netlogon folder, issue is users are able to browse (by \\mydomain.com) the sysvol and netlogon folders adn can see the scripts. Please help me in sorting this out. Thanks in Advance, Leo Sorting what out?
Are you thinking you don't want the clients to see the scripts? What was your plan to allow them to run scripts they can't see? Show quoteHide quote "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message news:AADF8806-C76D-46AE-BA28-220AA5599B9A@microsoft.com... > Hello, > > I have Windows 2000 server (Domain Controller) and Windows XP clients. > > I have certain policies and logon scripts in Sysvol/Netlogon folder, issue > is users are able to browse (by \\mydomain.com) the sysvol and netlogon > folders adn can see the scripts. Please help me in sorting this out. > > Thanks in Advance, > Leo Thanks for reply,
I dont want user to read those scripts as certain script are storing Administrator Password. If they put \\mydomain.com they can see shared netlogon and sysvol folders. After opening those they are able to see all my ..cmd scripts which they can open and read... I hope it is clear now... Show quoteHide quote "Al Mulnick" wrote: > Sorting what out? > Are you thinking you don't want the clients to see the scripts? What was > your plan to allow them to run scripts they can't see? > > > "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message > news:AADF8806-C76D-46AE-BA28-220AA5599B9A@microsoft.com... > > Hello, > > > > I have Windows 2000 server (Domain Controller) and Windows XP clients. > > > > I have certain policies and logon scripts in Sysvol/Netlogon folder, issue > > is users are able to browse (by \\mydomain.com) the sysvol and netlogon > > folders adn can see the scripts. Please help me in sorting this out. > > > > Thanks in Advance, > > Leo > > > OK, the problem is that you're storing an administrator password in a
user-readable script. Why are you doing that? If a user needs to run a script, they must be able to read the script. Oli Show quoteHide quote "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message news:107DD23E-E812-46C2-B163-E4EAE752A05D@microsoft.com... > Thanks for reply, > > I dont want user to read those scripts as certain script are storing > Administrator Password. If they put \\mydomain.com they can see shared > netlogon and sysvol folders. After opening those they are able to see all > my > .cmd scripts which they can open and read... > > I hope it is clear now... > > "Al Mulnick" wrote: > >> Sorting what out? >> Are you thinking you don't want the clients to see the scripts? What was >> your plan to allow them to run scripts they can't see? >> >> >> "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message >> news:AADF8806-C76D-46AE-BA28-220AA5599B9A@microsoft.com... >> > Hello, >> > >> > I have Windows 2000 server (Domain Controller) and Windows XP clients. >> > >> > I have certain policies and logon scripts in Sysvol/Netlogon folder, >> > issue >> > is users are able to browse (by \\mydomain.com) the sysvol and netlogon >> > folders adn can see the scripts. Please help me in sorting this out. >> > >> > Thanks in Advance, >> > Leo >> >> >> I agree. If you are concerned about your users being able to browse the
network and being able to look at your scripts (which for some reason contain the admin password) then I would suggest that you find another way to do whatever it is that you do with that/those script(s). And, what exactly is it that this/these script(s) do(es) that you need to include the administrator account and the password. And please do not misunderstand us. It is good that you are concerned. It is good that you are not relying on 'security through obscurity'. But what is it that you are trying to do. And please do not mess with the permissions on these two shared folders. You will break things most likely. Then you will have other problems to worry about (in addition to the original problem). -- Show quoteHide quoteCary W. Shultz Roanoke, VA 24012 "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message news:107DD23E-E812-46C2-B163-E4EAE752A05D@microsoft.com... > Thanks for reply, > > I dont want user to read those scripts as certain script are storing > Administrator Password. If they put \\mydomain.com they can see shared > netlogon and sysvol folders. After opening those they are able to see all > my > .cmd scripts which they can open and read... > > I hope it is clear now... > > "Al Mulnick" wrote: > >> Sorting what out? >> Are you thinking you don't want the clients to see the scripts? What was >> your plan to allow them to run scripts they can't see? >> >> >> "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message >> news:AADF8806-C76D-46AE-BA28-220AA5599B9A@microsoft.com... >> > Hello, >> > >> > I have Windows 2000 server (Domain Controller) and Windows XP clients. >> > >> > I have certain policies and logon scripts in Sysvol/Netlogon folder, >> > issue >> > is users are able to browse (by \\mydomain.com) the sysvol and netlogon >> > folders adn can see the scripts. Please help me in sorting this out. >> > >> > Thanks in Advance, >> > Leo >> >> >> Hi,
It's likely there are other ways to accomplish what your scripts are doing. Show quoteHide quote "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message news:107DD23E-E812-46C2-B163-E4EAE752A05D@microsoft.com... > Thanks for reply, > > I dont want user to read those scripts as certain script are storing > Administrator Password. If they put \\mydomain.com they can see shared > netlogon and sysvol folders. After opening those they are able to see all > my > .cmd scripts which they can open and read... > > I hope it is clear now... > > "Al Mulnick" wrote: > >> Sorting what out? >> Are you thinking you don't want the clients to see the scripts? What was >> your plan to allow them to run scripts they can't see? >> >> >> "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message >> news:AADF8806-C76D-46AE-BA28-220AA5599B9A@microsoft.com... >> > Hello, >> > >> > I have Windows 2000 server (Domain Controller) and Windows XP clients. >> > >> > I have certain policies and logon scripts in Sysvol/Netlogon folder, >> > issue >> > is users are able to browse (by \\mydomain.com) the sysvol and netlogon >> > folders adn can see the scripts. Please help me in sorting this out. >> > >> > Thanks in Advance, >> > Leo >> >> >> Oh, it was clear before. I was trying to be nice and give you a second to
step back and look at what you're asking to do so that you could look at it and figure, "nope, that's not what I want to do. Heck, all the users are going to HAVE to be able to read these files so they can download them to their workstations and run them. If I messed with those permissions so that users couldn't read them, then they would be...able...to...read them or use them...DOH!" Or something like that. Since that epiphany hasn't happened yet, let me rephrase this a bit differently. You have administrator passowords in your plaintext scripts that you use for logon scripts. Because all users MUST have at least read access to these scripts, potentially any user on my network could get that information and use it maliciously. Therefore, you want to prevent this. Bravo. I applaud that thinking. But now that you realize that you can't prevent authenticated users from reading the files, it would be best if you'd follow the advice put forth in the other posts and let us know what you want to do that requires administrator credentials to be put in your vulnerable script files. That way we can likely suggest a different, more secure way and/or a better newsgroup to find the answer if this newsgroup doesn't have it. In the future, I highly suggest never putting administrator credentials in a script file. If you can't do it another way, perhaps it is not something that should be done. HTH, Al Show quoteHide quote "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message news:107DD23E-E812-46C2-B163-E4EAE752A05D@microsoft.com... > Thanks for reply, > > I dont want user to read those scripts as certain script are storing > Administrator Password. If they put \\mydomain.com they can see shared > netlogon and sysvol folders. After opening those they are able to see all > my > .cmd scripts which they can open and read... > > I hope it is clear now... > > "Al Mulnick" wrote: > >> Sorting what out? >> Are you thinking you don't want the clients to see the scripts? What was >> your plan to allow them to run scripts they can't see? >> >> >> "Leo_Surf" <LeoS***@discussions.microsoft.com> wrote in message >> news:AADF8806-C76D-46AE-BA28-220AA5599B9A@microsoft.com... >> > Hello, >> > >> > I have Windows 2000 server (Domain Controller) and Windows XP clients. >> > >> > I have certain policies and logon scripts in Sysvol/Netlogon folder, >> > issue >> > is users are able to browse (by \\mydomain.com) the sysvol and netlogon >> > folders adn can see the scripts. Please help me in sorting this out. >> > >> > Thanks in Advance, >> > Leo >> >> >> 
Other interesting topics
legacyExchangeDN - May I change it to a user?
Changing name or IP address on Domain Controller Group Policy - Shutdown/Startup Scripts Question Remove Dirty Boxes [WildPacket] Need help with global AD DNS server placement Is there ~1000 value limit for multi-valued attributes is ADAM? User logon connection dropped overnight. Complex Passwords change hardware Saving Settings in AD Users & Computers |
|||||||||||||||||||||||
