|
Thanks Joe, I did suspect the file share properties
was an issue and I went back in and gave FC to the HD Admin group at the share
level (it was set to authenticated users read and execute), they already had FC
on the daughter files; logged on as a test HD Admin account and tried to change
file permissions with no luck. The share is a top level folder shared out with
a $ to hide it, not an admin share. The HD group does have the ability to
create folders there just not to modify permissions. Unfortunately, due to recent budget
strangulations the possibility of getting another file server for the NY branch
is totally out of the question, I’m stuck with using the DC as the
repository for the roaming profiles for 2 Citrix servers. I may be able to do
some juggling to get our LA account profiles moved to another server (again
also on a DC (don’t blame me I just inherited the network)), but I’m
still stuck with having no place but the DC to store the profiles and home
drives in NY. Personally I wouldn’t even give a junior admin access to a
domain controller much less the HD minions but I didn’t design the
network. So is there absolutely no way to give just the right to create shares
and modify folder permissions on the DC or am I stuck with having to create
folders and shares for the NY accounts (There is no way I’m giving them
Domain Admin rights). Gideon From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe You should be able to delegate the
permission to set permissions on folders on a DC just like on a member server.
You simply give them FC or ChangePerms from the root on down of where you would
like them to have that right... For instance, if you have a folder
structure of F:. +---user1 +---user2 +---user3 +---user4 \---user5 You would share out U for the folder admin
to connect to and assign the group you want to have either FC or ChangePerms +
some others on U on down. Most likely I would guess that it sounds
like you are having the script connect to the F$ or whatever $ share which is
admin access only. Now having said that. I so recommend NOT
using Domain Controllers as file shares and on top of that I absolutely DO
NOT recommend allowing ANYONE besides domain admins any rights to modify the
file system on Domain Controllers. You are just asking for a way to be
compromised. If you trust them so much, then just give them domain admin. :o) Finally, the HD people will not be able to
create shares on the domain controllers. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft I am one of two windows admins on a 500 user 15+ branch
network and I am trying to push some of the menial chores to the helpdesk staff
(like account creation and Citrix profile repairing) so that I can start
working on the more critical issues with our network. I have delegated the
appropriate rights to our Helpdesk Admin group to create accounts within the
appropriate OU’s and need to dig a little deeper to get the Exchange
account creation settled (I thought I got that setup with a custom AD
delegation, but I may not have enabled all the right objects) But the big
stumbling block I ran into was when I was training the HD supervisor in
creating accounts, and the nifty little script I wrote that created a home
drive share folder, terminal services profile folder, copied the profile
template and cacl’d the rights for that user failed on the cacl. Looking
deeper I realized that although I gave the HD Admin group full control of the
drives where these folders existed, the account was in our NY branch which only
had 1 main server (domain controller) and realized that the additional security
measures on a domain controller prevented him from changing the security on the
folders (we had added him to the local administrator group for other servers
but unable to add him to the local admin group for the domain controller). Now my primary question is: how can I grant this right to
modify file permissions on a domain controller without granting him Domain
Admins rights? Gideon Ashcraft Network Administrator Screen Actors Guild |
