Re: How to allow users to create groups and shares

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hello Ronnie,

They should be member "Power users" group on the server to create/manage shares on member servers.
http://technet.microsoft.com/en-us/library/cc785098.aspx

For DC's you can use "server operators", keep in mind this group has also high permissions on DC's:
http://technet.microsoft.com/en-us/library/cc756898.aspx

For the AD part, create a new security group and add the accounts that need the permissions, then use "Delegation of control wizard". Here you can choose some predefined ones or create a custom task to delegate for your needs. Seems that the predefined one's "Create, delete and mangae groups" and "Modify the membership of a group", should be sufficient for your need. Create a test OU with some test accounts/groups and try it first with some test shares.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hi,

I started in a new company some time ago, and I'm now looking at the
policies etc. During this work I found that 10 users are member of the
administrators group in the domain. Now there's no way this is
necessary so I want to remove most of these users, but some of them
will still need to be able to administer a specific share on the file
server. This includes creating new shares within the existing share,
and create groups and maintaining membership of these groups to grant
access for only certain users to the shares within the existing share.

Now my question is how can I best limit their rights to only do this?
I've been thinking about adding the users to the Account Operators
group, but this will give them permission to create, modify, and
delete accounts for users, groups, and computers in all containers and
organizational units of Active Directory except the Builtin container
and the Domain Controllers OU. If possible I'd like them to only be
able to create and administer groups and not create users and
computers. I don't think this group will allow them to create shares
either, but can I achieve this my adding them to the Power Users
group?

If I can't achieve my goal with any of the built-in groups can I then
create a new group and grant this one the necessary permissions?

Thanks in advance,
Ronnie


.

Relevant Pages

  • RE: Moving a server with workgroup shares into a domain - will shares
    ... Microsoft Global Technical Support Center ... Moving a server with workgroup shares into a domain - will ... The Shares and local accounts database ...
    (microsoft.public.windows.server.migration)
  • Re: Password migration
    ... If it is to be a member server, there must be another domain controller. ... domain and go to a workgroup, you'll have to create individual accounts on ... Or How to migrate user accounts to SAM? ...
    (microsoft.public.win2000.group_policy)
  • Re: Managing Local Accounts
    ... Each store has a Windows 2003 server, ... We need to create accounts for each of the 50 users at each remote store ... access applications on the member server located at each store. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Moving a server with workgroup shares into a domain - will shares
    ... The shares and local user/group accounts should continue to exist ... database will only be affected if the Server is to become a Domain ...
    (microsoft.public.windows.server.migration)
  • How to add a local group to the local administrators group with GP
    ... all the local administrators accounts specific for each server. ... to add a new member to the LOCAL Administrators built-in group. ...
    (microsoft.public.windows.server.active_directory)