NTFS permissions required to scan to a SMB share

MaHa · ‎11-14-2023

We are on e-directory for ours users store data on NSS shares. I do think it's possible to mount NSS shares on Xerox. Therefor we are using a AD service account stored on the printer to scan to selected folders on a SMB. In ours case it's the stored credentials which need to have the permisions.

Even if users would be logging with their own account it's not a given that they have read/write/delete permissions to all folders. We could run into the same problem anyway.

Therefore it would be nice to have a checkbox in the GUI to circumvent the testing mechanism for my my selected folders. So basically letting us do our own testing when setting upp scan folders.

Woliwon · ‎11-13-2023

The printer needs the username and password of a user that has both read and write share permissions( and normally read and write security permissions) for the specified folder and it needs the hostnsme or IP of the smb server.

It tests it's ability by logging into the server, navigating to the folder, creating and immediately deleting a file.

It's the user on your server that has permission to do these things, not the Xerox itself.. I'm not sure what the big deal is 🤔

MaHa · ‎11-13-2023

You might ask yourself what are the minimum NTFS right requirements to successfully scan to a SMB file share using a Xerox machine. In my case it's the AltaLink C8155 but I believe it's the same for all other Xerox devices. I have tested the access from the MFP and came to the conclusion that the used scanning service account requires the below permissions to be able to do it's job.

Obviously, you need sufficient rights to be able to create files in that folder. That's a given. However, I do not want to allow the creation and deletion of folders. I do not either want this account to be able to read previously scanned files and I do not want it to be able to delete those files.

Therefore, below permissions should be enough to scan a file to a location. "Create files / write data" allows the file to be created and "List folder / read data" let's the MFP check if the file transferred successfully. I guess it could do it without the "List folder / read data" as well because unsuccessfully coping would result in an error.

Of course, if I would want the MFP to create folders as well, I would need to give that permission but in my case, I only want to a PDF/A file to be created and copied to my network location. What I want to say is I need "just enough permissions". No more, no less.

I contacted Xerox support about that. The answer I've got is that is how the system works. A few functionalities (not the ones I am using) in the MFP require the ability to create folders and therefor the accounts need those permissions. The same is to say about the ability to delete files and folders even if your do not use this functionality. There are no plans to change this behaviour unless it's a wanted feature by many users. The only way for Xerox to acknowledge this need is for you all who want the same to contact Xerox about that and demand this "feature" (if you can call basic account security a feature). So do me a favour, let them know. Thank you!

For now, I will work around the issue by creating another service account with a file watcher service that moves file to another location where the MFP does not have access.

In case inserted screenshots are not viewable when not logged in the forum here a description.

Working permissons: Allow for "This folder, subfolders and files", List folder / read data, Create files / write data, create folders / append data, delte subfolders and files
Permissions that should be enough: Allow for "This folder only", List folder / read data, Create files / write

Re: NTFS permissions required to scan to a SMB share

Re: NTFS permissions required to scan to a SMB share

NTFS permissions required to scan to a SMB share