|
There has been quite a bit of discussion on this list
concerning delegating the ability to create shares on DCs. Please check the
archives.
In the meanwhile, the short answer is no. The long answer
is theoretical and painful and not recommended. Previously it was mentioned for
academic reasons. Look for posts from me with the subject Domain Controller
Security...
Consider having a single common share point and map users
into the subfolders.... Then no one has to create shares. If not that, why not
place the roaming profiles on one of the citrix servers?
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gideon Ashcraft Sent: Sunday, July 04, 2004 2:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Creating Super help desk minions For Win2k Domain Ooops, I goofed. I went
back and double-checked and some how I must have clicked cancel instead of OK
when I added the HD Admin group to the file share permissions and gave full
control to the share. The script ran perfectly and I verified that the
appropriate permissions were added to the folder, I ran a test to see if he was
able to create a hidden home share on the non-DC file server and it worked. But
when I tried to create a file share on the DC through an MMC it failed miserably
(couldn’t even open it up). So I’m now left with:
Is there anyway I can give the rights to create a file share on a DC or am I
personally stuck with that task (only for NY)? G From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Gideon
Ashcraft Thanks
Joe, I did suspect the file
share properties was an issue and I went back in and gave FC to the HD Admin
group at the share level (it was set to authenticated users read and execute),
they already had FC on the daughter files; logged on as a test HD Admin account
and tried to change file permissions with no luck. The share is a top level
folder shared out with a $ to hide it, not an admin share. The HD group does
have the ability to create folders there just not to modify permissions.
Unfortunately, due to
recent budget strangulations the possibility of getting another file server for
the NY branch is totally out of the question, I’m stuck with using the DC as the
repository for the roaming profiles for 2 Citrix servers. I may be able to do
some juggling to get our LA account profiles moved to another server (again also
on a DC (don’t blame me I just inherited the network)), but I’m still stuck with
having no place but the DC to store the profiles and home drives in NY.
Personally I wouldn’t even give a junior admin access to a domain controller
much less the HD minions but I didn’t design the network. So is there absolutely
no way to give just the right to create shares and modify folder permissions on
the DC or am I stuck with having to create folders and shares for the NY
accounts (There is no way I’m giving them Domain Admin
rights). Gideon From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe You should be able to
delegate the permission to set permissions on folders on a DC just like on a
member server. You simply give them FC or ChangePerms from the root on down of
where you would like them to have that right... For instance, if you
have a folder structure of F:. +---user1
+---user2
+---user3
+---user4
\---user5 You would share out U
for the folder admin to connect to and assign the group you want to have either
FC or ChangePerms + some others on U on down. Most likely I would
guess that it sounds like you are having the script connect to the F$ or
whatever $ share which is admin access only. Now having said that. I
so recommend NOT using Domain Controllers as file shares and on top of
that I absolutely DO NOT recommend allowing ANYONE besides domain admins
any rights to modify the file system on Domain Controllers. You are just asking
for a way to be compromised. If you trust them so much, then just give them
domain admin. :o) Finally, the HD people
will not be able to create shares on the domain controllers.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Gideon
Ashcraft I am one of two windows admins on a
500 user 15+ branch network and I am trying to push some of the menial chores to
the helpdesk staff (like account creation and Citrix profile repairing) so that
I can start working on the more critical issues with our network. I have
delegated the appropriate rights to our Helpdesk Admin group to create accounts
within the appropriate OU’s and need to dig a little deeper to get the Exchange
account creation settled (I thought I got that setup with a custom AD
delegation, but I may not have enabled all the right objects) But the big
stumbling block I ran into was when I was training the HD supervisor in creating
accounts, and the nifty little script I wrote that created a home drive share
folder, terminal services profile folder, copied the profile template and cacl’d
the rights for that user failed on the cacl. Looking deeper I realized that
although I gave the HD Admin group full control of the drives where these
folders existed, the account was in our NY branch which only had 1 main server
(domain controller) and realized that the additional security measures on a
domain controller prevented him from changing the security on the folders (we
had added him to the local administrator group for other servers but unable to
add him to the local admin group for the domain controller).
Now my primary question is: how can
I grant this right to modify file permissions on a domain controller without
granting him Domain Admins rights? Gideon
Ashcraft Network
Administrator Screen Actors
Guild |
