This topic contains 3 replies, has 4 voices, and was last updated by
May 14, 2018 at 1:39 pm #100525ParticipantTopics: 23Replies: 156Points: 392Rank: Contributor
not sure if anyone else has configured this yet, just trying to get a handle on required permissions.
thus far if the user has modify permissions on the share, everything works.
obviously, this isn't ideal for logging and history tracking.
we have tried with just write permissions, write and create files/folders given, in this configuration the initial log file is created, however when commands are executed, the log is never updated.
just trying to wrap my head around the whole thing and wanted to see if anyone else had successfully enabled this to a network location.
May 14, 2018 at 6:54 pm #100551ParticipantTopics: 2Replies: 1000Points: 1,951Rank: Community Hero
The user and computer would need full control on the share, and NTFS read, write, modify.
If you do not, eventually you will run into issue. Trust me, been there done that.
Remember, even if the user is not logged on, the computer could be running PoSH code (think maintenance jobs, scheduled tasks, etc.)
May 15, 2018 at 11:36 am #100587ParticipantTopics: 13Replies: 221Points: 112Rank: Participant
I scoped it out to authenticated users, full control on the share and the following NTFS permissions:
List folder/read data
Read extended attributes
Create files/write data
Create folders/append data
Write extended attributes
September 4, 2019 at 4:12 pm #174607ParticipantTopics: 25Replies: 54Points: 105Rank: Participant
I wish this post was still open for discussion. I have comments on it.
- all users have full control of the share
- all users have NTFS Write permissions on the folder
- Creator/Owner has NTFS Write permissions on the folder
- some admin group has NTFS read (and probably more) permissions on the folder
#3 fixes the issue where #2 only allows any user to create a new log file in the share, but then they can't actually append any logging into that log file.
also, am I the only person who finds it irritating that the powershell transcripting log file names don't contain the username, only the computer name? and this file name is not configurable via group policy? this seems counterproductive if the suggestion is to have everybody in the company log to a central location, and users are running scripts in RDP server sessions.
You must be logged in to reply to this topic.