Re: Server Logon

• Previous message: Shamim: "Server Logon"
• In reply to: Shamim: "Server Logon"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 03 Jul 2004 22:45:49 GMT

You can use delegation and group membership. Members of the local power
users/administrators groups can do most of what you want on a server [other than
domain controller] . Users can be delegated the right to add workstations to the
domain via delegation which gives them the permission to create computer objects.
However I think only domain administrators can install software on domain controllers
and there is good reason for that as only trusted and knowledgeable users should have
access to domain controllers. The user right for logon locally and deny logon locally
in the appropriate security policy [domain/local/OU] can be used to control what
computers a user can logon to as can their account properties in their domain AD
account with the "logon to" option. Be very careful with deny permissions as
administrators are also members of users and everyone group. The links below may
help. --- Steve

http://www.microsoft.com/technet/security/topics/issues/w2kccscg/w2kscgcd.mspx
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part5/dsgappd.mspx

"Shamim" <anonymous@discussions.microsoft.com> wrote in message
news:259ee01c460c5$2f9f4f50$a401280a@phx.gbl...
> Dear Friends.
> i want to give sharing rights to some users so that they
> can share some folders on the network.I also want them to
> to give them some adminsitrative rights of installing the
> software,Printers and Join a workstation to the Domain,
> but at the same time i want to restrict thier logon to my
> Windows 2000 Domain Controllers.Can i set these
> permissions through Delegation Wizard or Group Policy.
>
> I will appericate your help
>
> Cheers
> Shamim.

• Previous message: Shamim: "Server Logon"
• In reply to: Shamim: "Server Logon"
• Messages sorted by: [ date ] [ thread ]