Re: can I use GPO for remote folder management?


"MLA!" <MLA@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D4D1CC1-E6B6-4714-B8B3-CA94A5D45416@xxxxxxxxxxxxxxxx
> Roger,
> 1. if I will install TS in administrative mode. Is it only for
> administrators or user that exist on server can log in under his local
> profile?
>
You said you have one W2k3 server
TS in admin mode is installed automatically on W2k3
Default grant is to Adminsitrators, but login is not allowed
until enabled (Remote tab in System Properties, r-click My
Computer)
You can allow any account by making member of the Remote
Desktop Users group

> 2. > Instead, define a group and grant him a delegation on
> > the membership of that group. Then you one time set
> > that group to have the permissions you want him able
> > to grant to others.
> >
> He is a member of R&D dep. group. And he suppose to assign permisions to
R&D
> Folder and subfolders. How to grant him a delegation on the membership?
> Where to click :) ? Sorry.
The delegation can be done at the OU level where the group is,
that is, if the group is in some OU you can r-click on the OU and
select the task to delegate, and then delegate management of group
memberships. That would cover all groups you put in that OU.
The delegation is nothing more than changes to the security setting
in the Security tab of the properties of the Group itself.

It would be of no advantage to delegate management of the group
membership if they are still able to alter the permissions of the
managed objects (ex. file storage area) instead of your controlling
the (filesystem) security settings and placing of these delegated
groups in the permissions grants.

> If you don't mind I will ask you few more questions about sharing later.
> I want to try all what you suggest above first.
> Thanks.
> Michael.
>
> "Roger Abell" wrote:
>
> > First, he is doing something wrong when attempting to
> > alter the permissions. Obviously he has the ability, as
> > he is destroying what is already there when he makes
> > changes, so it is not an issue of his being able to do this
> > as far as OS grants to him, but of how he is doing it.
> > That is a user training issue.
> >
> > Second, you should not let him alter the permissions.
> > Instead, define a group and grant him a delegation on
> > the membership of that group. Then you one time set
> > that group to have the permissions you want him able
> > to grant to others.
> >
> > None of this is something that falls into the area of
> > group policy.
> >
> > Finally . . .
> > W2k3 does include an administrative mode install of
> > terminal services that allows for two simultaneous
> > connections. I would recommend that you do not give
> > this access away to a non-savy, non-admin unless you
> > know what you are getting into.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Michael A." <Michael A.@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:5CDD6D2D-D713-4D37-8CA8-5A23AA454C67@xxxxxxxxxxxxxxxx
> > > Hi,
> > > we have one stand alone 2003 server.
> > > I need to enable user access to the folder X on server. He needs to
change
> > > other users rights to subfolders of X folder.
> > >
> > > The folder is shared. User1 has full share and NTFS permission to
folder
> > X.
> > > A problem is that he can not assign rights remotely to other users.
May be
> > > because there is no AD. At this time I don't want to mess up with AD.
> > Since
> > > we have one AD on the subnet. When he clicks on subfolder he can add
users
> > to
> > > subfolder but Windows alerts "that inherited permissions will be
lost".
> > > He did it few times. After that folder is unaccessible and I have to
log
> > in
> > > locally to the server and reapply permissions...
> > >
> > > Now user1 asking me a terminal service access to the server.
> > > He says that by default there are 2 free licenses. Is that true?
> > > I cannot find any ifo about free TS licenses. What I found that it
will
> > work
> > > 90 days. By the way can I buy 1 license? Or there is a minimum?
> > >
> > > May be there is an option for solving my problem through Group policy.
> > >
> > > How can I provide user rights for managing folder access remotely?
> > >
> > > Thanks.
> > > Michael.
> > >
> > >
> > >
> > >
> >
> >
> >


.

Relevant Pages

  • RE: Distribution Group Access
    ... To grant the proper permissions to modify memberships of groups, ... Click Modify the Membership of a group. ...
    (microsoft.public.exchange.misc)
  • Re: Allow user to modify Security Group membership?
    ... Grant him Full Control permissions of the entire file structure, or better use a group and put him in it, in case "he" changes to be some other "he" in the future. ... To grant permissions to change the group membership, then the user will have to be given access to Active Directory Users and computers. ...
    (microsoft.public.windows.server.active_directory)
  • Account Management Delegation
    ... I want to grant some users to manage the account properties of the users ... I set the permissions manually and after using the "Delegation Wizard", ... I tried, always using both methods, to give ALL the permissions to the ... But they cannot change the state of any Account properties flag. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation Problem on Exchange 2007 SP1
    ... and I could only find information how to grant the send ... as permission for a mailbox. ... There is information on delegation in the following page: ... What are the minimum required permissions that a user should have in order ...
    (microsoft.public.exchange.admin)
  • Re: Directory Security and subdirectories
    ... but do not grant to any group in which they hold membership ... > want the user to be able to traverse up a folder and see all this ...
    (microsoft.public.security)