azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b7bc3f4d2503cd86ef2d9dc7dc24f18e7b861edd
claudetools/clients/dataforth/docs/projects/shares-permissions/acl-audit-detail-2026-06-10.md
Howard Enos 83133ddce3 sync: auto-sync from HOWARD-HOME at 2026-06-10 20:21:07 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-10 20:21:07
2026-06-10 20:21:23 -07:00

2.8 KiB
Raw Blame History

Dataforth — Shares ACL Audit Detail (INTERNAL — do not send to client)

Captured: 2026-06-10, read-only RMM (Get-SmbShare/Get-SmbShareAccess/Get-Acl as SYSTEM on each server). No changes made. Use: technical baseline for Phase 3 (rollback reference). The client-facing summary is current-state-2026-06-10.md.

Headline

  • All eight business shares grant access to all staff via Everyone / Domain Users.
  • Domain Users has FullControl (NTFS) on archive, sales, Engineering, sage; Modify on c-drive, e-drive, webshare; ReadAndExecute on ITSvc.
  • No custom AD security groups exist (only Domain Users, admin accounts sysadmin/Admin_3652, and service accounts appear).

Share-level + NTFS root ACLs

Share Server Path Share ACL NTFS root (non-builtin) Inheritance
c-drive AD2 C:\Shares\c-drive Everyone:Full; Domain Users:Change; Admins:Full Domain Users:Modify enabled (inherited Users:R+Append+Create)
e-drive AD2 C:\Shares\e-drive Everyone:Full; Domain Users:Change; Admins:Full Domain Users:Modify; sysadmin:Full protected
webshare AD2 C:\Shares\webshare Everyone:Full; Domain Users:Change; Admins:Full Domain Users:Modify; sysadmin:Full; svc_testdatadb:Full protected
test AD2 C:\Shares\test Everyone:Full; Domain Users:Change; Admins:Full Everyone:Full; Domain Users:Modify; Guest:Read; sysadmin:Full protected — DOS/SMB1, leave as-is
sage SAGE-SQL C:\sage Everyone:Full; Admins:Full Domain Users:FullControl; Admin_3652:Full protected
sales FILES-D1 E:\Shares\sales Everyone:Full; Admins:Full Domain Users:FullControl; sysadmin:Full (owner) protected
archive FILES-D1 E:\Shares\archive Everyone:Full; Admins:Full Domain Users:FullControl; sysadmin:Full (owner) protected
Engineering AD1 C:\Engineering Everyone:Full; Admins:Full Domain Users:FullControl; Admin_3652:Full protected
ITSvc AD1 C:\Shares\ITSvc Everyone:Full; Admins:Full Domain Users:ReadAndExecute; Domain Computers:ReadAndExecute; Admin_3652:Full protected

All shares also carry inherited/explicit NT AUTHORITY\SYSTEM:FullControl and BUILTIN\Administrators:FullControl (keep these).

Special / infra shares (exclude from department model)

  • test (AD2) — DOS test stations need SMB1 + Guest; keep open.
  • webshare (AD2) — preserve svc_testdatadb:Full; restrict humans only.
  • ITSvc (AD1) — IT depot; Domain Computers needs Read for deployment.
  • NETLOGON / SYSVOL — system shares; never touch.

Phase 3 rollback prep (to do before any change)

  • icacls "<path>" /save acl-backup-<share>.txt /t (or Get-Acl export) for each share → store in this folder before modifying.
Reference in New Issue View Git Blame Copy Permalink