Sign in with
Sign up | Sign in
Your question

Allow domain user to change local permissions on domain co..

Last response: in Windows 2000/NT
Share
August 2, 2005 7:20:47 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

I would like give a domain user permission to change and reset
file/share permissions locally on computers which are joined to our
domain. I have delegated permission for them to add/remove computers
from the 'Computers' folder in Active Directory Computers and Users, and
also add/remove users from the '*ourdomain* users' and *ourdomain
groups'. Is this a group policy change I need to make?

Thanks for your help

T.
Anonymous
August 3, 2005 1:43:30 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:

>Hi
>
>I would like give a domain user permission to change and reset
>file/share permissions locally on computers which are joined to our
>domain. I have delegated permission for them to add/remove computers
>from the 'Computers' folder in Active Directory Computers and Users, and
> also add/remove users from the '*ourdomain* users' and *ourdomain
>groups'. Is this a group policy change I need to make?
>
>Thanks for your help
>
>T.

You can use Group Policy to set file system permissions.
See tip 8724 » How can I use Group Policy to set File System and/or Registry permissions?
in the 'Tips & Tricks' at http://www.jsifaq.com
Anonymous
August 3, 2005 8:35:14 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

This is a NTFS permission issue, not a GP issue. If they have the proper
permissions (Read Permissions, Change Permissions), they can change the
permissions.

br,
Denis

"none" <""Tez\"@(none)"> wrote in message
news:1122992477.29060.1@doris.uk.clara.net...
> Hi
>
> I would like give a domain user permission to change and reset
> file/share permissions locally on computers which are joined to our
> domain. I have delegated permission for them to add/remove computers
> from the 'Computers' folder in Active Directory Computers and Users, and
> also add/remove users from the '*ourdomain* users' and *ourdomain
> groups'. Is this a group policy change I need to make?
>
> Thanks for your help
>
> T.
Related resources
Anonymous
August 4, 2005 6:25:19 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Oh yes, forgot using GP to set permission. Then it could be a GP issue then.

br,
Denis

"Jerold Schulman" <Jerry@jsiinc.com> wrote in message
news:1fi1f117323qai3hg4ri8c9cmplbo8lv8g@4ax.com...
> On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:
>
> >Hi
> >
> >I would like give a domain user permission to change and reset
> >file/share permissions locally on computers which are joined to our
> >domain. I have delegated permission for them to add/remove computers
> >from the 'Computers' folder in Active Directory Computers and Users, and
> > also add/remove users from the '*ourdomain* users' and *ourdomain
> >groups'. Is this a group policy change I need to make?
> >
> >Thanks for your help
> >
> >T.
>
> You can use Group Policy to set file system permissions.
> See tip 8724 » How can I use Group Policy to set File System and/or
Registry permissions?
> in the 'Tips & Tricks' at http://www.jsifaq.com
August 4, 2005 8:18:56 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Denis Wong @ Hong Kong wrote:
> Oh yes, forgot using GP to set permission. Then it could be a GP issue then.
>
> br,
> Denis
>
> "Jerold Schulman" <Jerry@jsiinc.com> wrote in message
> news:1fi1f117323qai3hg4ri8c9cmplbo8lv8g@4ax.com...
>
>>On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:
>>
>>
>>>Hi
>>>
>>>I would like give a domain user permission to change and reset
>>>file/share permissions locally on computers which are joined to our
>>>domain. I have delegated permission for them to add/remove computers
>>
>>>from the 'Computers' folder in Active Directory Computers and Users, and
>>
>>> also add/remove users from the '*ourdomain* users' and *ourdomain
>>>groups'. Is this a group policy change I need to make?
>>>
>>>Thanks for your help
>>>
>>>T.
>>
>>You can use Group Policy to set file system permissions.
>>See tip 8724 » How can I use Group Policy to set File System and/or
>
> Registry permissions?
>
>> in the 'Tips & Tricks' at http://www.jsifaq.com
>
>
>
I can see that each computer on the domain has Domain Admins added to
the administrator group on the local computer. I would like another
domain group to be added as administrator by default except on domain
controllers. Could this be acheived by giving the domain group 'full
control' in the security tab of the 'Domain Computers' global group?
Anonymous
August 10, 2005 10:30:05 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Create and link a GPO to the OU that contains the computer accounts for the
workstations in question. You may find it useful to first create an OU
specifically for the computer accounts for the computers you want to adjust
the local administrators group on.

In this new GPO, navigate to Computer Configuration, Windows Settings,
Restricted Groups
right click on Restricted Groups and select Add Group...
key the name of the Domain Group you want added to the local Administrators
group and click OK
click Add beside the box with the title "This group is a member of" (this is
the lower of the two boxes)
key Adminstrators and click OK
click OK
Close the Group Policy Editor

The above technique will only have the desired affect on clients running
Windows 2000 SP4, Windows XP SP2, Windows XP SP1 with a specific hotfix and
Windows 2003 Server; see http://support.microsoft.com/?id=810076 for
details.

Since, by default, Domain Controllers are in an OU that does not contain
other domain members, unless you link this GPO to that OU, it will not have
any affect on Domain Controllers. By default, domain member computers go in
the Computers OU.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"none" <""Tez\"@(none)"> wrote in message
news:1123168774.80669.0@doris.uk.clara.net...
> Denis Wong @ Hong Kong wrote:
>> Oh yes, forgot using GP to set permission. Then it could be a GP issue
>> then.
>>
>> br,
>> Denis
>>
>> "Jerold Schulman" <Jerry@jsiinc.com> wrote in message
>> news:1fi1f117323qai3hg4ri8c9cmplbo8lv8g@4ax.com...
>>
>>>On Tue, 02 Aug 2005 15:20:47 +0100, none <""Tez\"@(none)"> wrote:
>>>
>>>
>>>>Hi
>>>>
>>>>I would like give a domain user permission to change and reset
>>>>file/share permissions locally on computers which are joined to our
>>>>domain. I have delegated permission for them to add/remove computers
>>>
>>>>from the 'Computers' folder in Active Directory Computers and Users, and
>>>
>>>> also add/remove users from the '*ourdomain* users' and *ourdomain
>>>>groups'. Is this a group policy change I need to make?
>>>>
>>>>Thanks for your help
>>>>
>>>>T.
>>>
>>>You can use Group Policy to set file system permissions.
>>>See tip 8724 » How can I use Group Policy to set File System and/or
>>
>> Registry permissions?
>>
>>> in the 'Tips & Tricks' at http://www.jsifaq.com
>>
>>
>>
> I can see that each computer on the domain has Domain Admins added to the
> administrator group on the local computer. I would like another domain
> group to be added as administrator by default except on domain
> controllers. Could this be acheived by giving the domain group 'full
> control' in the security tab of the 'Domain Computers' global group?
!