Udostępnij za pośrednictwem


What are the default permissions for a file share created using ADSI and IADsFileShare

If you are using ADSI to create file share, you may have noticed that when you view these permissions in the newer operating systems that a few things that appear a bit odd such as:

When viewing share permissions on shares created with ADSI via Windows Explorer (Windows 2008/7), we see this:

clip_image002

When viewing the same permissions via the Shared Folders MMC, we see this:

clip_image004

Net share displays the following:

C:\>net share RemotelyShared$
Share name RemotelyShared$
Remark Test Share
Maximum users No limit
Users
Caching Manual caching of documents
Permission Everyone, FULL
The command completed successfully.

When looking at the share permissions in the Registry, there is no entry for the share under:

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares\Security

It appears that the file share is created without a discretionary access control list (DACL ) which essentially allows Everyone to have full control over the share. 

The IADsFileShare interface creates the share using the NetShareAdd API at level 2.  If you examine the SHARE_INFO_2 structure, you will notice that there is not a place to add a DACL or Security Descriptor ( SD ) to the share.  You can use a specific set of permission flags that apply to the world in general.  In the ADSI source, the shi2_permissions field is set to the equivalent of ACCESS_ALL therefore, by default, when you use IADsFileShare  ( via a the WinNT LANMANSERVER provider ) you are creating a file share that has permissions setup such that Everyone has full control.

If you do not want your shares created with this set of default permissions, my recommendation would be to use WMI to create  the share and  then set permissions on the share.