This post provides information on several aspects of security with Windows Server 2003 R2 FSRM quotas, which you may come across if you use the previous two posts to implement FSRM quotas on a standalone server or MSCS clustered node.
LocalService Command Notification Task
If your quota has a notification task that runs a command, you may need to set the security of the executable or areas accessed by the command. By default, FSRM runs commands as the LocalService account - an account with restricted local permissions.
In this example, the command executed is the logentry.bat batch file from the previous post, which simply writes a log entry to a file. To allow the batch file to run as the localservice account – which is a member of the 'Authenticated Users' group, I set the following permissions:
- Add authenticated users:R to the root (not OICI - object inherit, container inherit) using SDDL with cacls
- Add authenticated users:R to c:\scripts to execute the logentry.bat file
- Add authenticated users:C to c:\logs to allow writing the log entry
- Ensure that cmd.exe can be executed (default permissions should suffice)
This was done with the following commands:
- cacls c:\ /S:"D:PAI(A;OICI;FA;;;BA)(A;;0x1200a9;;;AU)(A;OICI;FA;;;SY)"
- cacls c:\scripts /e /g "authenticated users":R
- cacls c:\logs /e /g "authenticated users":C
Note that while testing this, I was using localsystem (unrestricted local permissions) to verify that security was the issue, but in an MSCS cluster when failing over the virtual server from one cluster node to the other, the quota template reset itself to localservice instead of localsystem.
Before setting permissions to allow LocalService to run the script, this left the notification task not executing successfully. Depending upon what your command does you may require elevated local or remote privilege, for which you may want to use localsystem or networkservice.
Target Permissions preventing execution
When specifying a command to run as a notification task, 2003 R2 FSRM will not allow running a command which standard users have change/full control to, directly or through inheritance.
To me this seems like an unusual approach for an out of the box Microsoft product and isn't very intuitive, as in my lab inherited permissions from a parent directory allowing Users:F were causing the task to fail.
Implementing 2003 FSRM quotas Command-line
2003 FSRM and NTFS Quotas compared
Wayne's World of IT (WWoIT), Copyright 2009 Wayne Martin.