Re: How to allow users to create groups and shares
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Fri, 6 Mar 2009 12:54:39 +0000 (UTC)
Hello Ronnie,
Nice to hear that you solved it.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Meinolf,
adding the group to the Allow logon locally policy didn't help, so I
added the group to the remote dekstop users group on the fileserver,
so that they can log in and manages the shares from there. Creating
new groups and maintaining groups the users will have to do from
either the fileserver or the adminpak tools installed locally on their
machine. This will also keep the users from logging in on the DC,
which is good.
I've tested different scenarios and this all seem to work as I want it
to now.
Thanks a lot for your help with this. I really appreciate it.
Cheers,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
Add the user/group to the Computer configuration, windows settings,
security settings, Local policies, "Allow logon locally" in the
Default domain controllers policy and on a existing or new created
policy for the member servers.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Ok - I now have the delegate control part working, so that my test
user can create groups and modify these only within the one OU that
I want them to.
However the part that would allow the users to logon to the DC and
file servers still isn't working. Can you please have a look at he
below and see if you can help me?
These are the computer settings for the DC:
Applied Group Policy Objects
-----------------------------
Default Domain Controllers Policy
WSUSAuto_DC_TS
FireWall OFF
NOD32 Installer
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
DR-HERLEV$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
RAS and IAS Servers
------------------------------------------------------
------------------------------------------------------
These are the computer settings for the file server:
Applied Group Policy Objects
-----------------------------
WSUSAutoServers
FireWall OFF
NOD32 Installer
Default Domain Policy
Local Group Policy
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
FS$
Domain Computers
----------------------------------------------------
----------------------------------------------------
And these are the user settings for the test user:
Applied Group Policy Objects
-----------------------------
Messenger
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Allow remote desktop connections
Filtering: Not Applied (Empty)
NOD32 Installer
Filtering: Not Applied (Empty)
LocalAdminDK
Filtering: Not Applied (Empty)
FireWall OFF
Filtering: Not Applied (Empty)
Aventail
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
WSUSAutoComputers
Filtering: Not Applied (Empty)
Windows update patch for XP SP3
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
allCOM
LocalAdminNO
WTS users
LocalAdminDE
allDK
User-SO
wksadmin
HER-GBS-ADM-GROUPS
----------------------------------------------------
----------------------------------------------------
Since my test user is unable to logon to both servers I've looked at
the Default Domain Policy, which applies to both servers, but I
can't see anything with this policy that would prevent my test user
to log on with remote desktop connection. Could it be because the
Allow remote desktop connections GPO is filtered out?
Thanks again,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
With gpresult and gpresult /v (detailed) you can see on the client
which policies are applied for computer and user configuration.
Then check with GPMC on the server or from a client the policy
settings.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi,
how can I check the policies applied?
Yes, I delegated the control of the OU to the group with the test
user account.
Regards,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
Check the policies applied to the servers/DCs to see if the user
rights assignments are configured to allow the logon.
Did you delegate the control before for the test user?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hi again,
I did read the descriptions, but when I try to log on to either
the DC or file server with my test account I get the message
that "To log on to this remote computer you must have Terminal
Server User Access permissions on this computer".
I installed the adminpak on the pc as I also thought this would
be the best way to let the users manage the groups, but I'm
unable to create new groups from the administrative tools as
this option isn't available when I right click any of the OU's.
I hope you can help with this as well.
Regards,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
If you check the group properties description in the links, you
can see that members of that group are able to logon to the
Server/DC. They have also the "Allow log on locally" security
right per default. Shares you have to create on the server, the
permissions can also be set from client with a mapping to the
share.
For managing groups install the adminpak.msi on the users
machine if XP or lower OS.
You can also extract the AD consoles from the adminpak with
this command: msiexec /i adminpak.msi ADDLOCAL=FeADTools /qb
For Vista or server 2008 you have to install the Remote server
administration
tools.
RSAT 32bit:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E8
97 -2 3C E-4A36-B7FC-D52065DE9960&displaylang=en
RSAT 64bit:
http://www.microsoft.com/downloads/details.aspx?familyid=D647A6
0B
-6
3F
D-4AC5-9243-BD3C497D2BC5&displaylang=en
Then open Control Panele, Programs and features, Turn windows
features on or off, check the tools you like under "Remote
Server
Administration Tools"
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Meinolf and thanks a lot for your help so far.
I've now created a test user, and added the user user to the
server operators group in AD and the power users group on the
file server. I've created a new global security group, added
the test user account to the group and delegated the "Create,
delete and mangae groups" and "Modify the membership of a
group" to this group for the OU in which the users are to
create the new groups.
Now how should the users perform their tasks? Should they be
able to login on the DC to create and maintain the groups?
Should they be able to login on the fileserver to create the
new shares and assign permissions to these? If they should be
able to login on the servers will the best and safest way then
be to add them to the remote desktops users group on each
server and let them use remote desktop connection to connect?
Regards,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
They should be member "Power users" group on the server to
create/manage shares on member servers.
http://technet.microsoft.com/en-us/library/cc785098.aspx
For DC's you can use "server operators", keep in mind this
group has also high permissions on DC's:
http://technet.microsoft.com/en-us/library/cc756898.aspx
For the AD part, create a new security group and add the
accounts that need the permissions, then use "Delegation of
control wizard". Here you can choose some predefined ones or
create a custom task to delegate for your needs. Seems that
the predefined one's "Create, delete and mangae groups" and
"Modify the membership of a group", should be sufficient for
your need. Create a test OU with some test accounts/groups
and try it first with some test shares.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hi,
I started in a new company some time ago, and I'm now
looking at the policies etc. During this work I found that
10 users are member of the administrators group in the
domain. Now there's no way this is necessary so I want to
remove most of these users, but some of them will still need
to be able to administer a specific share on the file
server. This includes creating new shares within the
existing share, and create groups and maintaining membership
of these groups to grant access for only certain users to
the shares within the existing share.
Now my question is how can I best limit their rights to only
do this? I've been thinking about adding the users to the
Account Operators group, but this will give them permission
to create, modify, and delete accounts for users, groups,
and computers in all containers and organizational units of
Active Directory except the Builtin container and the Domain
Controllers OU. If possible I'd like them to only be able to
create and administer groups and not create users and
.
- References:
- Re: How to allow users to create groups and shares
- From: Ronnie
- Re: How to allow users to create groups and shares
- Prev by Date: Re: How to allow users to create groups and shares
- Next by Date: Re: managing computers in AD
- Previous by thread: Re: How to allow users to create groups and shares
- Next by thread: Re: Roaming Profile trusted domain users
- Index(es):
Relevant Pages
|
Loading
