Re: Add the Adminsitrators security group to roaming user profiles
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Thu, 18 Aug 2005 16:59:56 -0500
"S3" <S3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE3CCA56-08E4-4336-B5A8-1981F53B47ED@xxxxxxxxxxxxxxxx
> Do you know if we can just somehow replace the administrators group with
> another security group? It has to be somewhere within the servers
registry,
> right?
No, I don't know, but serious doubt it. And I am sure it would
be a very foolish thing to do.
"S3" <S3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:06F537FB-15E7-4185-91E1-596AA81FF433@xxxxxxxxxxxxxxxx
> I want to be able to give a certain security group access to user profiles
by
> using a gpo.
You can as I have already describe. You can give this permission
directly without trying to change the basic security operation of the
system by mucking up the Admins group.
> I know I can use a script to do this, but I was just wondering
> if we can just find where in the registry the administrators group is
> specified so we can just change that value (SID/Groupname) with one that
> specifies the security group.
You can find out where, but you cannot successfully change a system
this way.
You are wasting your time with this idea. You can easily grant
the permissions you need by using a GPO or a Script or just
Explorer.
What access will this group actually exercise on Profiles?
BTW, if you were to change the Admins group -- you would just
be making this group admins so you might as well just do that before
screwing your systems up royally.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
>
> "Herb Martin" wrote:
>
> > "S3" <S3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:1D3D4F28-868F-413D-B521-EC079AA5655D@xxxxxxxxxxxxxxxx
> > > Can we somehow just create and ADM file for this.
> >
> > Yes, but an ADM isn't necessary -- NTFS permissions are already an item
> > in GPOs (Computer->WindowsSettings->SecuritySettings->FileSettings.
> >
> > BUT be warned that this is not a trivial task unless you already are
very
> > comfortable with permissions (e.g., write batch files to manage them),
> > and you might find that setting up a "prototype system", exporting, and
> > using (importing) a Security Template (.inf) is easier for you.
> >
> > > I want to give a security
> > > group access to our roaming profiles via a gp. Is it possible?
> >
> > Yes. But since roaming profiles are on a file server (somewhere) why
not
> > just set the permissions directly or through a batch file.
> >
> > This would be a more interesting GPO problem if you had to do this on
> > dozens or even thousands of machines.
> >
> > > I know this
> > > canned GPO setting gives the Administrators group access to the
profile.
> >
> > How do you know that? I don't know it.
> >
> > Such permisssions default to the file systems on the Roaming Profile
> > file server(s).
> >
> > What precisely are you really trying to do? And why is that your goal?
> >
> > That is, what is your TRUE goal underneath all of this...?
> >
> > > I
> > > was just thinking if we knew where in the registry the Administrators
> > group
> > > is specified we could just change it to reflect the name/SID of the
> > security
> > > group that I want to give access to the profiles for.
> >
> > It isn't -- and that is a different question than you have been asking.
> >
> > And you don't (normally) want to REMOVE the admins group from such
> > access but perhaps ADD another group.
> >
> > --
> > Herb Martin, MCSE, MVP
> > Accelerated MCSE
> > http://www.LearnQuick.Com
> > [phone number on web site]
> >
> > > "Herb Martin" wrote:
> > >
> > > > "S3" <S3@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > > > news:E779EEA8-5EBE-48F5-A646-A8F216AF9652@xxxxxxxxxxxxxxxx
> > > > > I know we can use the Add the Adminsitrators security group to
roaming
> > > > user
> > > > > profiles setting to give the Admins full access to profiles. My
> > questions
> > > > is
> > > > > how can I substitute the Admnistrators security group for another
> > security
> > > > > group. Is this value stored on the server registry somewhere? Can
we
> > > > create
> > > > > an ADM template for this. Thanks!!
> > > >
> > > > Yes.
> > > >
> > > > But what are you REALLY trying to accomplish? (Rather than
> > > > how you think you might do that....)
> > > >
> > > > SubInAcl.exe (reskit) will change an ACL to reference a different
> > > > group.
> > > >
> > > > --
> > > > Herb Martin, MCSE, MVP
> > > > Accelerated MCSE
> > > > http://www.LearnQuick.Com
> > > > [phone number on web site]
> > > >
> > > >
> > > >
> >
> >
> >
.
- References:
- Add the Adminsitrators security group to roaming user profiles
- From: S3
- Re: Add the Adminsitrators security group to roaming user profiles
- From: Herb Martin
- Re: Add the Adminsitrators security group to roaming user profiles
- From: S3
- Re: Add the Adminsitrators security group to roaming user profiles
- From: Herb Martin
- Re: Add the Adminsitrators security group to roaming user profiles
- From: S3
- Add the Adminsitrators security group to roaming user profiles
- Prev by Date: /idlist error when logging in
- Next by Date: Re: Simple bind to ADAM
- Previous by thread: Re: Add the Adminsitrators security group to roaming user profiles
- Next by thread: Re: Add the Adminsitrators security group to roaming user profiles
- Index(es):
Relevant Pages
|
