minimum permissions to manage file shares on a DC

A

arm123

I am looking to setup a DC in a remote office and want to give the branch
manager the ability to manage file shares on the DC without making him a
Domain Admin. Is this possible? And, if so, how would I do this?

Thanks in advance.
 
J

Joe Richards [MVP]

The most intelligent and safest way to do this is to create a single
share on that server and then give the branch manager access to that
share so that he/she can create folders and assign permissions to them.

Do not, under any circumstances, give the person local interactive logon
rights to the domain controller.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
A

arm123

Thanks for the response! What tool would the branch manager use to create
folders and assign permissions? Just Windows Explorer? Because that does not
give the ability to create additional shares or assign share permissions,
only NTFS permissions.

Perhaps that would be sufficient for our need but I just want to make sure I
fully understand what you are recommending.

Thanks!
 
J

jokes54321

All users would access their particular folder through the single share you
created. Your branch manager can then create folders within that one share
and assign permissions.

Denny
 
J

Joe Richards [MVP]

Yep explorer, reread what I said... A SINGLE SHARE.

You don't normally want to be mucking around with share level
permissions anyways, most people get immensely confused when trying to
work through share level permissions combined with NTFS permissions.

I would set the share with Everyone FC and then do all of the lockdowns
on the NTFS level. This is a design I have been using very successfully
in Fortune 5 and smaller companies since the mid-90's. It works great.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can't access shares on one DC? 1
How to grant a group rights to manage shares? 3
DC not servicing logon requests 6
Slow Logons and Can't open files 0
Log on Locally 3
W2K AD Domain issues, migration and rename native mode 3
Unable to local DC ......... URGENT 1
Win2000 DC Question 2

Top