Re: Add the Adminsitrators security group to roaming user profiles
- From: "S3" <S3@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 Aug 2005 12:01:31 -0700
I want to be able to give a certain security group access to user profiles by
using a gpo. I know I can use a script to do this, but I was just wondering
if we can just find where in the registry the administrators group is
specified so we can just change that value (SID/Groupname) with one that
specifies the security group.
"Herb Martin" wrote:
> "S3" <S3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:1D3D4F28-868F-413D-B521-EC079AA5655D@xxxxxxxxxxxxxxxx
> > Can we somehow just create and ADM file for this.
>
> Yes, but an ADM isn't necessary -- NTFS permissions are already an item
> in GPOs (Computer->WindowsSettings->SecuritySettings->FileSettings.
>
> BUT be warned that this is not a trivial task unless you already are very
> comfortable with permissions (e.g., write batch files to manage them),
> and you might find that setting up a "prototype system", exporting, and
> using (importing) a Security Template (.inf) is easier for you.
>
> > I want to give a security
> > group access to our roaming profiles via a gp. Is it possible?
>
> Yes. But since roaming profiles are on a file server (somewhere) why not
> just set the permissions directly or through a batch file.
>
> This would be a more interesting GPO problem if you had to do this on
> dozens or even thousands of machines.
>
> > I know this
> > canned GPO setting gives the Administrators group access to the profile.
>
> How do you know that? I don't know it.
>
> Such permisssions default to the file systems on the Roaming Profile
> file server(s).
>
> What precisely are you really trying to do? And why is that your goal?
>
> That is, what is your TRUE goal underneath all of this...?
>
> > I
> > was just thinking if we knew where in the registry the Administrators
> group
> > is specified we could just change it to reflect the name/SID of the
> security
> > group that I want to give access to the profiles for.
>
> It isn't -- and that is a different question than you have been asking.
>
> And you don't (normally) want to REMOVE the admins group from such
> access but perhaps ADD another group.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> > "Herb Martin" wrote:
> >
> > > "S3" <S3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > news:E779EEA8-5EBE-48F5-A646-A8F216AF9652@xxxxxxxxxxxxxxxx
> > > > I know we can use the Add the Adminsitrators security group to roaming
> > > user
> > > > profiles setting to give the Admins full access to profiles. My
> questions
> > > is
> > > > how can I substitute the Admnistrators security group for another
> security
> > > > group. Is this value stored on the server registry somewhere? Can we
> > > create
> > > > an ADM template for this. Thanks!!
> > >
> > > Yes.
> > >
> > > But what are you REALLY trying to accomplish? (Rather than
> > > how you think you might do that....)
> > >
> > > SubInAcl.exe (reskit) will change an ACL to reference a different
> > > group.
> > >
> > > --
> > > Herb Martin, MCSE, MVP
> > > Accelerated MCSE
> > > http://www.LearnQuick.Com
> > > [phone number on web site]
> > >
> > >
> > >
>
>
>
.
- References:
- Add the Adminsitrators security group to roaming user profiles
- From: S3
- Re: Add the Adminsitrators security group to roaming user profiles
- From: Herb Martin
- Re: Add the Adminsitrators security group to roaming user profiles
- From: S3
- Re: Add the Adminsitrators security group to roaming user profiles
- From: Herb Martin
- Add the Adminsitrators security group to roaming user profiles
- Prev by Date: RE: Fully Qualified Domain Name in "log on to" field
- Next by Date: Can not restore system state
- Previous by thread: Re: Add the Adminsitrators security group to roaming user profiles
- Next by thread: Win2K - Win2K3
- Index(es):
Relevant Pages
|
