Hi

I would like give a domain user permission to change and reset
file/share permissions locally on computers which are joined to our
domain. I have delegated permission for them to add/remove computers
from the 'Computers' folder in Active Directory Computers and Users, and
also add/remove users from the '*ourdomain* users' and *ourdomain
groups'. Is this a group policy change I need to make?

Thanks for your help

T.

Hi,

This is a NTFS permission issue, not a GP issue. If they have the proper
permissions (Read Permissions, Change Permissions), they can change the
permissions.

br,
Denis

"none" <""Tez\"@(none)"> wrote in message
news:(E-Mail Removed)...
> Hi
>
> I would like give a domain user permission to change and reset
> file/share permissions locally on computers which are joined to our
> domain. I have delegated permission for them to add/remove computers
> from the 'Computers' folder in Active Directory Computers and Users, and
> also add/remove users from the '*ourdomain* users' and *ourdomain
> groups'. Is this a group policy change I need to make?
>
> Thanks for your help
>
> T.

On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:

>Hi
>
>I would like give a domain user permission to change and reset
>file/share permissions locally on computers which are joined to our
>domain. I have delegated permission for them to add/remove computers
>from the 'Computers' folder in Active Directory Computers and Users, and
> also add/remove users from the '*ourdomain* users' and *ourdomain
>groups'. Is this a group policy change I need to make?
>
>Thanks for your help
>
>T.

You can use Group Policy to set file system permissions.
See tip 8724 » How can I use Group Policy to set File System and/or Registry permissions?
in the 'Tips & Tricks' at http://www.jsifaq.com

Oh yes, forgot using GP to set permission. Then it could be a GP issue then.

br,
Denis

"Jerold Schulman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:
>
> >Hi
> >
> >I would like give a domain user permission to change and reset
> >file/share permissions locally on computers which are joined to our
> >domain. I have delegated permission for them to add/remove computers
> >from the 'Computers' folder in Active Directory Computers and Users, and
> > also add/remove users from the '*ourdomain* users' and *ourdomain
> >groups'. Is this a group policy change I need to make?
> >
> >Thanks for your help
> >
> >T.
>
> You can use Group Policy to set file system permissions.
> See tip 8724 » How can I use Group Policy to set File System and/or
Registry permissions?
> in the 'Tips & Tricks' at http://www.jsifaq.com

Denis Wong @ Hong Kong wrote:
> Oh yes, forgot using GP to set permission. Then it could be a GP issue then.
>
> br,
> Denis
>
> "Jerold Schulman" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>>On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:
>>
>>
>>>Hi
>>>
>>>I would like give a domain user permission to change and reset
>>>file/share permissions locally on computers which are joined to our
>>>domain. I have delegated permission for them to add/remove computers
>>
>>>from the 'Computers' folder in Active Directory Computers and Users, and
>>
>>> also add/remove users from the '*ourdomain* users' and *ourdomain
>>>groups'. Is this a group policy change I need to make?
>>>
>>>Thanks for your help
>>>
>>>T.
>>
>>You can use Group Policy to set file system permissions.
>>See tip 8724 » How can I use Group Policy to set File System and/or
>
> Registry permissions?
>
>> in the 'Tips & Tricks' at http://www.jsifaq.com
>
>
>
I can see that each computer on the domain has Domain Admins added to
the administrator group on the local computer. I would like another
domain group to be added as administrator by default except on domain
controllers. Could this be acheived by giving the domain group 'full
control' in the security tab of the 'Domain Computers' global group?

Create and link a GPO to the OU that contains the computer accounts for the
workstations in question. You may find it useful to first create an OU
specifically for the computer accounts for the computers you want to adjust
the local administrators group on.

In this new GPO, navigate to Computer Configuration, Windows Settings,
Restricted Groups
right click on Restricted Groups and select Add Group...
key the name of the Domain Group you want added to the local Administrators
group and click OK
click Add beside the box with the title "This group is a member of" (this is
the lower of the two boxes)
key Adminstrators and click OK
click OK
Close the Group Policy Editor

The above technique will only have the desired affect on clients running
Windows 2000 SP4, Windows XP SP2, Windows XP SP1 with a specific hotfix and
Windows 2003 Server; see http://support.microsoft.com/?id=810076 for
details.

Since, by default, Domain Controllers are in an OU that does not contain
other domain members, unless you link this GPO to that OU, it will not have
any affect on Domain Controllers. By default, domain member computers go in
the Computers OU.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"none" <""Tez\"@(none)"> wrote in message
news:(E-Mail Removed)...
> Denis Wong @ Hong Kong wrote:
>> Oh yes, forgot using GP to set permission. Then it could be a GP issue
>> then.
>>
>> br,
>> Denis
>>
>> "Jerold Schulman" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>
>>>On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:
>>>
>>>
>>>>Hi
>>>>
>>>>I would like give a domain user permission to change and reset
>>>>file/share permissions locally on computers which are joined to our
>>>>domain. I have delegated permission for them to add/remove computers
>>>
>>>>from the 'Computers' folder in Active Directory Computers and Users, and
>>>
>>>> also add/remove users from the '*ourdomain* users' and *ourdomain
>>>>groups'. Is this a group policy change I need to make?
>>>>
>>>>Thanks for your help
>>>>
>>>>T.
>>>
>>>You can use Group Policy to set file system permissions.
>>>See tip 8724 » How can I use Group Policy to set File System and/or
>>
>> Registry permissions?
>>
>>> in the 'Tips & Tricks' at http://www.jsifaq.com
>>
>>
>>
> I can see that each computer on the domain has Domain Admins added to the
> administrator group on the local computer. I would like another domain
> group to be added as administrator by default except on domain
> controllers. Could this be acheived by giving the domain group 'full
> control' in the security tab of the 'Domain Computers' global group?