RE: [ActiveDir] Creating Super help desk minions For Win2k Domain

[joe]

You should be able to delegate the permission to set permissions on folders on a DC just like on a member server. You simply give them FC or ChangePerms from the root on down of where you would like them to have that right...   For instance, if you have a folder structure of   F:. +---u    +---user1    +---user2    +---user3    +---user4    \---user5   You would share out U for the folder admin to connect to and assign the group you want to have either FC or ChangePerms + some others on U on down.   Most likely I would guess that it sounds like you are having the script connect to the F$ or whatever $ share which is admin access only.   Now having said that. I so recommend NOT using Domain Controllers as file shares and on top of that I absolutely DO NOT recommend allowing ANYONE besides domain admins any rights to modify the file system on Domain Controllers. You are just asking for a way to be compromised. If you trust them so much, then just give them domain admin. :o)   Finally, the HD people will not be able to create shares on the domain controllers.     joe       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft Sent: Sunday, July 04, 2004 1:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Creating Super help desk minions For Win2k Domain I am one of two windows admins on a 500 user 15+ branch network and I am trying to push some of the menial chores to the helpdesk staff (like account creation and Citrix profile repairing) so that I can start working on the more critical issues with our network. I have delegated the appropriate rights to our Helpdesk Admin group to create accounts within the appropriate OU’s and need to dig a little deeper to get the Exchange account creation settled (I thought I got that setup with a custom AD delegation, but I may not have enabled all the right objects) But the big stumbling block I ran into was when I was training the HD supervisor in creating accounts, and the nifty little script I wrote that created a home drive share folder, terminal services profile folder, copied the profile template and cacl’d the rights for that user failed on the cacl. Looking deeper I realized that although I gave the HD Admin group full control of the drives where these folders existed, the account was in our NY branch which only had 1 main server (domain controller) and realized that the additional security measures on a domain controller prevented him from changing the security on the folders (we had added him to the local administrator group for other servers but unable to add him to the local admin group for the domain controller).   Now my primary question is: how can I grant this right to modify file permissions on a domain controller without granting him Domain Admins rights?   Gideon Ashcraft Network Administrator Screen Actors Guild