Re: How to allow users to create groups and shares
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Thu, 5 Mar 2009 12:45:05 +0000 (UTC)
Hello Ronnie,
Check the policies applied to the servers/DCs to see if the user rights assignments are configured to allow the logon.
Did you delegate the control before for the test user?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi again,
I did read the descriptions, but when I try to log on to either the DC
or file server with my test account I get the message that "To log on
to this remote computer you must have Terminal Server User Access
permissions on this computer".
I installed the adminpak on the pc as I also thought this would be the
best way to let the users manage the groups, but I'm unable to create
new groups from the administrative tools as this option isn't
available when I right click any of the OU's.
I hope you can help with this as well.
Regards,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
If you check the group properties description in the links, you can
see that members of that group are able to logon to the Server/DC.
They have also the "Allow log on locally" security right per default.
Shares you have to create on the server, the permissions can also be
set from client with a mapping to the share.
For managing groups install the adminpak.msi on the users machine if
XP or lower OS.
You can also extract the AD consoles from the adminpak with this
command: msiexec /i adminpak.msi ADDLOCAL=FeADTools /qb
For Vista or server 2008 you have to install the Remote server
administration
tools.
RSAT 32bit:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897-23C
E-4A36-B7FC-D52065DE9960&displaylang=en
RSAT 64bit:
http://www.microsoft.com/downloads/details.aspx?familyid=D647A60B-63F
D-4AC5-9243-BD3C497D2BC5&displaylang=en
Then open Control Panele, Programs and features, Turn windows
features on or off, check the tools you like under "Remote Server
Administration Tools"
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Meinolf and thanks a lot for your help so far.
I've now created a test user, and added the user user to the server
operators group in AD and the power users group on the file server.
I've created a new global security group, added the test user
account to the group and delegated the "Create, delete and mangae
groups" and "Modify the membership of a group" to this group for the
OU in which the users are to create the new groups.
Now how should the users perform their tasks? Should they be able to
login on the DC to create and maintain the groups? Should they be
able to login on the fileserver to create the new shares and assign
permissions to these? If they should be able to login on the servers
will the best and safest way then be to add them to the remote
desktops users group on each server and let them use remote desktop
connection to connect?
Regards,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
They should be member "Power users" group on the server to
create/manage shares on member servers.
http://technet.microsoft.com/en-us/library/cc785098.aspx
For DC's you can use "server operators", keep in mind this group
has also high permissions on DC's:
http://technet.microsoft.com/en-us/library/cc756898.aspx
For the AD part, create a new security group and add the accounts
that need the permissions, then use "Delegation of control wizard".
Here you can choose some predefined ones or create a custom task to
delegate for your needs. Seems that the predefined one's "Create,
delete and mangae groups" and "Modify the membership of a group",
should be sufficient for your need. Create a test OU with some test
accounts/groups and try it first with some test shares.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi,
I started in a new company some time ago, and I'm now looking at
the policies etc. During this work I found that 10 users are
member of the administrators group in the domain. Now there's no
way this is necessary so I want to remove most of these users, but
some of them will still need to be able to administer a specific
share on the file server. This includes creating new shares within
the existing share, and create groups and maintaining membership
of these groups to grant access for only certain users to the
shares within the existing share.
Now my question is how can I best limit their rights to only do
this? I've been thinking about adding the users to the Account
Operators group, but this will give them permission to create,
modify, and delete accounts for users, groups, and computers in
all containers and organizational units of Active Directory except
the Builtin container and the Domain Controllers OU. If possible
I'd like them to only be able to create and administer groups and
not create users and computers. I don't think this group will
allow them to create shares either, but can I achieve this my
adding them to the Power Users group?
If I can't achieve my goal with any of the built-in groups can I
then create a new group and grant this one the necessary
permissions?
Thanks in advance,
Ronnie
.
- Follow-Ups:
- Re: How to allow users to create groups and shares
- From: Ronnie
- Re: How to allow users to create groups and shares
- References:
- Re: How to allow users to create groups and shares
- From: Ronnie
- Re: How to allow users to create groups and shares
- Prev by Date: Re: How to allow users to create groups and shares
- Next by Date: Re: How to allow users to create groups and shares
- Previous by thread: Re: How to allow users to create groups and shares
- Next by thread: Re: How to allow users to create groups and shares
- Index(es):
Relevant Pages
|
