Network Shares

Description

Domain controllers might occasionally need extra network shares for some workflows. If that is the case however, it becomes especially important to consider the security aspects of it. This is where this Component comes in, as it allows you to:

• Define network shares
• Define network share permissions

Shares not defined will be deleted, except:

• Builtin administrative shares (such as C$)
• NETLOGON / sysvol shares

These shares can still be defined in configuration, however.

Note: Editing builtin administrative shares will almost always fail.

Example Configuration

A simple share could look like this:

{
    "Name":  "Scripts$",
    "Path":  "C:\\Scripts",
    "Description":  "Backup location for all Tier 0 admin code. Signed code only.",
    "FullAccess":  [ "%DomainName%\\Domain Admins" ],
    "WriteAccess":  [ "%DomainName%\\Tier 0 Admins" ],
    "ReadAccess":  [ "%DomainName%\\Tier 0 Operators" ]
}

Parameters

Name

The name of the share.

Supports string resolution.

Path

The path the share points to.

Supports string resolution.

Description

The description of the share.

Supports string resolution.

FullAccess

The principals to grant full access to.

Supports string resolution.

WriteAccess

The principals to grant write access to.

Supports string resolution.

ReadAccess

The principals to grant read access to.

Supports string resolution.

AccessMode

How share access rules are processed. Supports three configurations:

• Constrained: The default access mode, will remove any excess access rules.
• Additive: Ignore any access rules already on the share, even if not configured
• Defined: Ignore any access rules already on the share, even if not configured UNLESS the identity on those rules has an access level defined for it.

ServerRole

What domain controller to apply this to:

• All: All DCs in the enterprise
• FSMO: Only DCs that have any FSMO role
• PDC: Only the PDCEmulator