1E 23.7 (SaaS)

Nomad leverages native Windows security to define which accounts have access to the Nomad share. In Nomad’s default configuration, a Nomad share is created when the Nomad service is started and removed when it is stopped. The default Nomad settings also grants both Authenticated Users and the SMSNomadP2P& Nomad share account read-only access to the share.

In early versions of Nomad, further restricted access to the Nomad share could only be done using custom share permissions. The major disadvantage to this approach was that the Nomad service no longer managed the Nomad share, and it had to be created and managed through other methods. So, if you wanted to exclude Authenticated Users from the Nomad Share permissions, you must take over the management of the share.

In Nomad, a cache access security option has been implemented that is controlled using the AuthenticatedUsers registry value. This optionally restricts access to the Nomad share to just the SMSNomadP2P& Nomad share account, thereby excluding Authenticated Users from the Nomad share permissions but still leaves Nomad in control of the creation, management and removal of its share.

The Nomad share is created each time the Nomad Branch service starts and removed when it stops. When the Nomad Branch service starts:

Share Permissions for NomadSHR is configured as Read-only for the local SMSNomadP2P& user account and optionally a built-in security principal as specified by the AuthenticatedUsers registry value. The default is:

The default location for the Nomad cache is C:\ProgramData\1E\NomadBranch. The MODULE.NOMAD.CACHEPATH installer property is also used to configure the location of the Nomad Cache, which is stored in the registry value LocalCachePath.

You can use the MODULE.NOMAD.SPECIALNETSHARE installer property or update the SpecialNetShare registry value so that Nomad hides the Nomad share. If you do this, the share will be renamed NomadSHR$ and you will need to update all Nomad installations to use the hidden share.

Nomad can also be configured to use the machine account for peer connections instead of the local SMSNomadP2P& account by using the MODULE.NOMAD.SPECIALNETSHARE installer property or by updating the SpecialNetShare registry value. If the machine account is used, the local SMSNomadP2P& account is not created. Machine$ accounts in trusted domains are considered as Authenticated Users – the AuthenticatedUsers registry value must include Authenticated Users. Peer clients must be in trusted domains.

Use the MODULE.NOMAD.AUTHENTICATEDUSERS installer property or update the AuthenticatedUsers registry value to configure read-only access to the Nomad share for Authenticated Users (default), Everyone or neither in addition to the Nomad Share Account (SMSNomadP2P&). If Authenticated Users is selected, additional NTFS permissions are also configured for Authenticated Users on the Nomad cache folder.

The difference between Authenticated Users and Everyone depends on the OS version but in general Everyone includes Authenticated Users plus Guest.

The SpecialNetShare registry values enables administrators to create their own share called NomadSHR, set the user limit and permissions. The Nomad cache is shared as NomadSHR, giving read access to the local Nomad share account and authenticated users. This enables new peer connections to be established and also allows access to the cache for computers with existing connections.

Share permissions can be configured on the share and requires the minimum read-only permission for

NTFS security can also be set on the Nomad cache folder and requires these minimum permissions:

In addition, if using the built-in security principal Authenticated Users, as required when using the machine account, it requires NTFS security permissions Read & execute, List folder contents and Read.