Re: Share Folder Permission on xp in a 2003 domain

If you really really need your users to be power users I'd choose to
use restricted groups to make Domain Users member of the local Power
Users group on the workstations instead of granting them all those user
rights that could pose a big security threat.



Josh Davis ha escrito:
> Paul this can be delegated via group policy. I found a way.
>
> The main problem is that by default there is no power users group
> on the DC side if this existed things would be easier right out of
> the box to implement.
>
> GP setting to allow xp user to create shared folders.
>
> LOCAL POLICIES "User Rights Assignments" from new gpmc snap in.
> "Computer configuration"
>
> permissions needed
>
> Access the computer from the network
> Act as part of the operating system
> Add workstations to domain "Can be disabled later on "
> Allow log on locally
> Backup files and directories
> change the system time
> create a pagefile
> create a token object
> create global objects
> create permenant shared objects
> log on as a service
> perform volume maintenance tasks
> Manage auditing and security log
> restore files and directories
> shutdown the system
> synch directory service data
> take ownership of files and other objects.
>
> I created a new OU put the user in the ou, created a gp called power
> users based on the above, ran gpupdate on dc and client. By default
> all user accounts are a member of the domain users group.
>
> default domain policy at root of tree is as follows.
>
> LOCAL POLICIES "User Rights Assignments"
>
> Access the computer from the network
>
> Administrators/ Authenticated users /
> Domain Admins / Domain Users
>
> Act as part of the operating system
> "As above"
>
> Allow Log on locally
> "As above"
>
> Create permenatnt shared objects
> "As above"
>
> All others are default "Not Defined"
>
> I would be interested what you think on this
>
> Thanks Josh...
>
>
>
>
>
>
> On Mon, 25 Apr 2005 08:17:58 +0100, "ptwilliams"
<ptw2001@xxxxxxxxxxx>
> wrote:
>
> >A normal user cannot create a share. The minimum requirement for
this is to
> >be a member of the (local) power users group. This is one of the
few
> >things, I believe, that cannot be delegated.
> >
> >For information on adding users to the power users group of local
PCs,
> >please refer to the following article:
> > -- http://www.msresource.net/content/view/45/47/

.

Relevant Pages

  • restricted groups
    ... I have an application that all domain users must be able to run on a local ... It requires them to be a member of the power users group. ...
    (microsoft.public.windows.server.active_directory)
  • Remove the "Domain Users" group from the "Power Users" group..
    ... In my windows 2000 SP3 workstations I noticed that "Power Users" group ... include (has as member) "Domain Users" group. ... users that log in to the workstations have Power Users rights, ... I would like my domain users to have only "Read & Execute Access" on folders ...
    (microsoft.public.win2000.security)
  • Re: Remove the "Domain Users" group from the "Power Users" group..
    ... >include (has as member) "Domain Users" group. ... >users that log in to the workstations have Power Users rights, ... >or hide files in these folders. ...
    (microsoft.public.win2000.security)
  • Re: Power User Setting Not Saved
    ... when I say "local user" I mean the login name that is typically used ... user that is a member of that OU then be a Power User? ... There are two ways to do Restricted Groups - members of this group or this ... membership of the Restricted Group [power users in your case] will be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: problem with logon on a windows 2000 or XP client machine
    ... member of the local users groups. ... the local administrator group on the computer), I get my desktop and I ... When I add the domain users ... to the local administrators group and log in with a domain user ...
    (microsoft.public.win2000.security)