Re: Unable to Create Home Directory Share

More info - here is the Security Event Log error:

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/5/2005
Time: 3:45:34 PM
User: DOMAIN\user
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: \Device\HarddiskVolume3\Home\user
Handle ID: -
Operation ID: {0,16184776}
Process ID: 4
Image File Name:
Primary User Name: MACHINE
Primary Domain: DOMAIN
Primary Logon ID: ###
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: ####
Accesses: READ_CONTROL
WRITE_DAC
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x60080

Re: Unable to Create Home Directory Share

Paste in your settings from your home directory template. For security reasons you can change your domain name, but seeing how you have it configured may help.

Re: Unable to Create Home Directory Share

File System Permissions:
W:\Home
DOMAIN\HelpDesk - FC
DOMAIN\Domain Admins - FC
SYSTEM - FC
Administrators - FC

Windows Share Permissions:
Home$ - (W:\Home)
DOMAIN\Domain Users - FC

Hyena Template:
New Home Directory Mask:
\\SERVER\%username%$
Drive:
H:
Home Directory NTFS Security Settings:
%username% - Change
DOMAIN\Domain Admins - FC
SYSTEM - FC
Administrators - FC
Overwrite existing directory security
Share Directory Local Mask:
w:\home\%username%
Share Directory Remote Mask:
\\SERVER\home$\%username%
Home Share Security Settings:
DOMAIN\Domain Users - FC
Overwrite existing share security
Inheritance:
Do not inherit...
Set Owner:
Set owner to %username%

Re: Unable to Create Home Directory Share

Have one of these users manually create a share by expanding your server, expanding Shares, double-clicking on Home$, then right-clicking on a directory and choosing More Functions->Share As.

Do they get access denied there as well?

Re: Unable to Create Home Directory Share

I created a new folder under Home$ called test via Windows Explorer. Then I expanded Home$ in Hyena, selected More Functions - Share As - and got:

Unable to Access share "Home$".

Thanks for all of your help.

Re: Unable to Create Home Directory Share

Try giving your user, or Help Desk if the account you are using for this test is in that group, FC to the test directory you created. See if you are able to create the share that way. If so, the problem would appear to be that your Help Desk needs to also have permissions to the newly created directory. This will be the NTFS Security settings of your home directory template.

Re: Unable to Create Home Directory Share

Thanks. That was one of the first things I tried - and did it again to be sure. Even with the HelpDesk group having FC on the test directory, when I try to share it I receive the same error. In this case they have FC to the root share, and the folder underneath it that I'm trying to share:

W:\Home - FC
Home$ - FC
W:\Home\Test - FC

I'm guessing that there is some permission for creating shares that I'm missing. I researched this and can't figure it out.

Again - thanks for the help.

Re: Unable to Create Home Directory Share

It looks like to create a share, you need to be in the administrators, system operators,
or power users local group. You'll also need to have access to the directory
being shared.

Try adding your account to one of those groups on the computer that the directories are on and see if that helps.

Re: Unable to Create Home Directory Share

OK - I opened an incident with Microsoft on this issue in order to see what I am doing wrong. Here is the info:

----------

Actually,the ability to create/delete shares is controlled by an ACE in the security descriptor. They are saved in registry as binary data.And there’s no group policy to change the value.We can use the TweakUI tool togrant the permissions on client. Althoughthe Sharing tab will still be absence, we can use the“net share” commandto share folders.

In addition, please pay attention that TweakUI can only be installed on Windows 2003 or Windows XP SP1 based computers. If you need to grant the permission on Windows2000 based computers, we can first configure it using TweakUI on a Windows 2003 or Windows XP SP1 based computer, then export the registry value to Windows 2000 client.Please follow below steps toaccomplish the goal:

1. On a Windows 2003 or Windows XP SP1 based computer, download and install TweakUI from followinglink:
http://download.microsoft.com/download/f...wertoySetup.exe

2. Start TweakUI

3. On the left panel, select“Access Control”

4. On the right panel, select“Manage files shares” and then click the“Change” button

5. Add thespecific user or group you want to grant the permission to, and then check the“Full control” checkbox in the“Allow” array.

6. Click OK for two times to apply changes.

7. Go on granting permissions on other clients.

(If you need to apply it to Windows 2000 based computers, go on with following steps)

8.On the same computer, start registry editor and browse to following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\lanmanserver\DefaultSecurity

9. Select the“DefaultSecurity” key, click File -> Export and save it to desktop.

10. Copy this registry file toWindows 2000 based computer, and then double click it to import the key.

IMPORTANT n Windows 2003 or Windows XP SP1 based computer,please make sure you grantedpermissions tothecorrect user that will work on Windows 2000 computerbefore exporting the registry value.

To create shares after applying above actions, please follow below steps:

1.Logon using the specific account that you’ve grant sharing permissions to.

2.Create the folder that you would like to share.

3. Run following command from command line:
Net share

share_name=drive:\path\foldername

Re: Unable to Create Home Directory Share

I implemented Microsoft's recommendation as listed above on the server without any issues. I then logged onto the server as the HelpDesk user, created a folder on W:\Home (Home$) called test. I then typed:

net share test$=w:\home\test

as the HelpDesk user and it succeeded without a hitch. I then deleted the folder, and created a new unshared one. I ran Hyena as the HelpDesk user, expanded the server, expanded the Home$ share, right clicked the test folder and selected More Functions, Share As. Immediately I received the following error:

Unable to access share "Home$".

There must be a piece that I'm missing here. Do you have any ideas?

Re: Unable to Create Home Directory Share

The difference between the net share test and the way you are going through Hyena is the Home$ share. You used net share on the w:\home directory, which has separate permissions from the Home$ share. It would seem that something still is not right with the Home$ share itself (such as permissions).

In Hyena see if can navigate through your W$ share, and then the home directory and try creating a share on the test directory. This should eliminate the Home$ share from the equation.

Re: Unable to Create Home Directory Share

In order for them to access the W$ share they would need to be an Administrator. This would defeat the purpose of keeping their privileges lowered.

If they have FC to the File System under W:\Home and FC to Home$ - what could they be missing?

I created a second share on W: call W-Test and gave the HelpDesk FC to that share. I browsed to the SERVER\W-Test\Home\test folder, right clicked, more functions, share as - and got the same error:

"Unable to access share "W-Test".

This is starting to get me depressed. ;-)

Re: Unable to Create Home Directory Share

Try performing these same actions using Windows Explorer and see if you get a similar error. I want to isolate this problem outside of Hyena, then if the error goes away, we can backtrack to see what the issue is.

I do know that in order to create a share at any directory level, you have to have read (and maybe write) access to the directory before you can share it.

But try doing the sharing in Explorer.

Re: Unable to Create Home Directory Share

Are you trying to create a hidden share withen a hidden share?

I see the configuration that is setting the share permissions to FC. But on the Directory where the folders are being created. I take it FC for domain users is set on share permissions?

sorry, not trying to make this difficult. I tried making a hidden share withen a hidden and it was not possible on 2003.

[This message has been edited by Trammel (edited 08-15-2005).]