Re: How to allow users to create groups and shares
- From: Ronnie <Ronnie@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 6 Mar 2009 04:40:05 -0800
Hi Meinolf,
adding the group to the Allow logon locally policy didn't help, so I added
the group to the remote dekstop users group on the fileserver, so that they
can log in and manages the shares from there. Creating new groups and
maintaining groups the users will have to do from either the fileserver or
the adminpak tools installed locally on their machine. This will also keep
the users from logging in on the DC, which is good.
I've tested different scenarios and this all seem to work as I want it to now.
Thanks a lot for your help with this. I really appreciate it.
Cheers,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,.
Add the user/group to the Computer configuration, windows settings, security
settings, Local policies, "Allow logon locally" in the Default domain controllers
policy and on a existing or new created policy for the member servers.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Ok - I now have the delegate control part working, so that my test
user can create groups and modify these only within the one OU that I
want them to.
However the part that would allow the users to logon to the DC and
file servers still isn't working. Can you please have a look at he
below and see if you can help me?
These are the computer settings for the DC:
Applied Group Policy Objects
-----------------------------
Default Domain Controllers Policy
WSUSAuto_DC_TS
FireWall OFF
NOD32 Installer
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
DR-HERLEV$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
RAS and IAS Servers
------------------------------------------------------
------------------------------------------------------
These are the computer settings for the file server:
Applied Group Policy Objects
-----------------------------
WSUSAutoServers
FireWall OFF
NOD32 Installer
Default Domain Policy
Local Group Policy
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
FS$
Domain Computers
----------------------------------------------------
----------------------------------------------------
And these are the user settings for the test user:
Applied Group Policy Objects
-----------------------------
Messenger
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Allow remote desktop connections
Filtering: Not Applied (Empty)
NOD32 Installer
Filtering: Not Applied (Empty)
LocalAdminDK
Filtering: Not Applied (Empty)
FireWall OFF
Filtering: Not Applied (Empty)
Aventail
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
WSUSAutoComputers
Filtering: Not Applied (Empty)
Windows update patch for XP SP3
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL
allCOM
LocalAdminNO
WTS users
LocalAdminDE
allDK
User-SO
wksadmin
HER-GBS-ADM-GROUPS
----------------------------------------------------
----------------------------------------------------
Since my test user is unable to logon to both servers I've looked at
the Default Domain Policy, which applies to both servers, but I can't
see anything with this policy that would prevent my test user to log
on with remote desktop connection. Could it be because the Allow
remote desktop connections GPO is filtered out?
Thanks again,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
With gpresult and gpresult /v (detailed) you can see on the client
which policies are applied for computer and user configuration. Then
check with GPMC on the server or from a client the policy settings.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi,
how can I check the policies applied?
Yes, I delegated the control of the OU to the group with the test
user account.
Regards,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
Check the policies applied to the servers/DCs to see if the user
rights assignments are configured to allow the logon.
Did you delegate the control before for the test user?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi again,
I did read the descriptions, but when I try to log on to either
the DC or file server with my test account I get the message that
"To log on to this remote computer you must have Terminal Server
User Access permissions on this computer".
I installed the adminpak on the pc as I also thought this would be
the best way to let the users manage the groups, but I'm unable to
create new groups from the administrative tools as this option
isn't available when I right click any of the OU's.
I hope you can help with this as well.
Regards,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
If you check the group properties description in the links, you
can see that members of that group are able to logon to the
Server/DC. They have also the "Allow log on locally" security
right per default. Shares you have to create on the server, the
permissions can also be set from client with a mapping to the
share.
For managing groups install the adminpak.msi on the users machine
if XP or lower OS.
You can also extract the AD consoles from the adminpak with this
command: msiexec /i adminpak.msi ADDLOCAL=FeADTools /qb
For Vista or server 2008 you have to install the Remote server
administration
tools.
RSAT 32bit:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9FF6E897
-2 3C E-4A36-B7FC-D52065DE9960&displaylang=en
RSAT 64bit:
http://www.microsoft.com/downloads/details.aspx?familyid=D647A60B
-6
3F
D-4AC5-9243-BD3C497D2BC5&displaylang=en
Then open Control Panele, Programs and features, Turn windows
features on or off, check the tools you like under "Remote Server
Administration Tools"
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hi Meinolf and thanks a lot for your help so far.
I've now created a test user, and added the user user to the
server operators group in AD and the power users group on the
file server. I've created a new global security group, added the
test user account to the group and delegated the "Create, delete
and mangae groups" and "Modify the membership of a group" to
this group for the OU in which the users are to create the new
groups.
Now how should the users perform their tasks? Should they be
able to login on the DC to create and maintain the groups?
Should they be able to login on the fileserver to create the new
shares and assign permissions to these? If they should be able
to login on the servers will the best and safest way then be to
add them to the remote desktops users group on each server and
let them use remote desktop connection to connect?
Regards,
Ronnie
"Meinolf Weber [MVP-DS]" wrote:
Hello Ronnie,
They should be member "Power users" group on the server to
create/manage shares on member servers.
http://technet.microsoft.com/en-us/library/cc785098.aspx
For DC's you can use "server operators", keep in mind this
group has also high permissions on DC's:
http://technet.microsoft.com/en-us/library/cc756898.aspx
For the AD part, create a new security group and add the
accounts that need the permissions, then use "Delegation of
control wizard". Here you can choose some predefined ones or
create a custom task to delegate for your needs. Seems that the
predefined one's "Create, delete and mangae groups" and "Modify
the membership of a group", should be sufficient for your need.
Create a test OU with some test accounts/groups and try it
first with some test shares.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no
warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hi,
I started in a new company some time ago, and I'm now looking
at the policies etc. During this work I found that 10 users
are member of the administrators group in the domain. Now
there's no way this is necessary so I want to remove most of
these users, but some of them will still need to be able to
administer a specific share on the file server. This includes
creating new shares within the existing share, and create
groups and maintaining membership of these groups to grant
access for only certain users to the shares within the
existing share.
Now my question is how can I best limit their rights to only
do this? I've been thinking about adding the users to the
Account Operators group, but this will give them permission to
create, modify, and delete accounts for users, groups, and
computers in all containers and organizational units of Active
Directory except the Builtin container and the Domain
Controllers OU. If possible I'd like them to only be able to
create and administer groups and not create users and
- Follow-Ups:
- Re: How to allow users to create groups and shares
- From: Meinolf Weber [MVP-DS]
- Re: How to allow users to create groups and shares
- References:
- How to allow users to create groups and shares
- From: Ronnie
- Re: How to allow users to create groups and shares
- From: Meinolf Weber [MVP-DS]
- Re: How to allow users to create groups and shares
- From: Ronnie
- Re: How to allow users to create groups and shares
- From: Meinolf Weber [MVP-DS]
- Re: How to allow users to create groups and shares
- From: Ronnie
- Re: How to allow users to create groups and shares
- From: Meinolf Weber [MVP-DS]
- Re: How to allow users to create groups and shares
- From: Ronnie
- Re: How to allow users to create groups and shares
- From: Meinolf Weber [MVP-DS]
- Re: How to allow users to create groups and shares
- From: Ronnie
- Re: How to allow users to create groups and shares
- From: Meinolf Weber [MVP-DS]
- How to allow users to create groups and shares
- Prev by Date: Re: Moving AD, DHCP, DNS to new server
- Next by Date: Re: How to allow users to create groups and shares
- Previous by thread: Re: How to allow users to create groups and shares
- Next by thread: Re: How to allow users to create groups and shares
- Index(es):
Relevant Pages
|
