Allow domain user to change local permissions on domain computers,without have full right on domain

N

none

Hi

I would like give a domain user permission to change and reset
file/share permissions locally on computers which are joined to our
domain. I have delegated permission for them to add/remove computers
from the 'Computers' folder in Active Directory Computers and Users, and
also add/remove users from the '*ourdomain* users' and *ourdomain
groups'. Is this a group policy change I need to make?

Thanks for your help

T.
 
D

Denis Wong @ Hong Kong

Hi,

This is a NTFS permission issue, not a GP issue. If they have the proper
permissions (Read Permissions, Change Permissions), they can change the
permissions.

br,
Denis
 
J

Jerold Schulman

Hi

I would like give a domain user permission to change and reset
file/share permissions locally on computers which are joined to our
domain. I have delegated permission for them to add/remove computers
from the 'Computers' folder in Active Directory Computers and Users, and
also add/remove users from the '*ourdomain* users' and *ourdomain
groups'. Is this a group policy change I need to make?

Thanks for your help

T.

You can use Group Policy to set file system permissions.
See tip 8724 » How can I use Group Policy to set File System and/or Registry permissions?
in the 'Tips & Tricks' at http://www.jsifaq.com
 
D

Denis Wong @ Hong Kong

Oh yes, forgot using GP to set permission. Then it could be a GP issue then.

br,
Denis
 
N

none

Denis said:
Oh yes, forgot using GP to set permission. Then it could be a GP issue then.

br,
Denis



Registry permissions?
I can see that each computer on the domain has Domain Admins added to
the administrator group on the local computer. I would like another
domain group to be added as administrator by default except on domain
controllers. Could this be acheived by giving the domain group 'full
control' in the security tab of the 'Domain Computers' global group?
 
B

Bruce Sanderson

Create and link a GPO to the OU that contains the computer accounts for the
workstations in question. You may find it useful to first create an OU
specifically for the computer accounts for the computers you want to adjust
the local administrators group on.

In this new GPO, navigate to Computer Configuration, Windows Settings,
Restricted Groups
right click on Restricted Groups and select Add Group...
key the name of the Domain Group you want added to the local Administrators
group and click OK
click Add beside the box with the title "This group is a member of" (this is
the lower of the two boxes)
key Adminstrators and click OK
click OK
Close the Group Policy Editor

The above technique will only have the desired affect on clients running
Windows 2000 SP4, Windows XP SP2, Windows XP SP1 with a specific hotfix and
Windows 2003 Server; see http://support.microsoft.com/?id=810076 for
details.

Since, by default, Domain Controllers are in an OU that does not contain
other domain members, unless you link this GPO to that OU, it will not have
any affect on Domain Controllers. By default, domain member computers go in
the Computers OU.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top