can I use GPO for remote folder management?

[Guest]

Hi,
we have one stand alone 2003 server.
I need to enable user access to the folder X on server. He needs to change
other users rights to subfolders of X folder.

The folder is shared. User1 has full share and NTFS permission to folder X.
A problem is that he can not assign rights remotely to other users. May be
because there is no AD. At this time I don't want to mess up with AD. Since
we have one AD on the subnet. When he clicks on subfolder he can add users to
subfolder but Windows alerts "that inherited permissions will be lost".
He did it few times. After that folder is unaccessible and I have to log in
locally to the server and reapply permissions...

Now user1 asking me a terminal service access to the server.
He says that by default there are 2 free licenses. Is that true?
I cannot find any ifo about free TS licenses. What I found that it will work
90 days. By the way can I buy 1 license? Or there is a minimum?

May be there is an option for solving my problem through Group policy.

How can I provide user rights for managing folder access remotely?

Thanks.
Michael.

 

[Roger Abell]

First, he is doing something wrong when attempting to
alter the permissions. Obviously he has the ability, as
he is destroying what is already there when he makes
changes, so it is not an issue of his being able to do this
as far as OS grants to him, but of how he is doing it.
That is a user training issue.

Second, you should not let him alter the permissions.
Instead, define a group and grant him a delegation on
the membership of that group. Then you one time set
that group to have the permissions you want him able
to grant to others.

None of this is something that falls into the area of
group policy.

Finally . . .
W2k3 does include an administrative mode install of
terminal services that allows for two simultaneous
connections. I would recommend that you do not give
this access away to a non-savy, non-admin unless you
know what you are getting into.

 

[Guest]

Roger,
1. if I will install TS in administrative mode. Is it only for
administrators or user that exist on server can log in under his local
profile?

2. > Instead, define a group and grant him a delegation on

the membership of that group. Then you one time set
that group to have the permissions you want him able
to grant to others.

He is a member of R&D dep. group. And he suppose to assign permisions to R&D
Folder and subfolders. How to grant him a delegation on the membership?
Where to click ? Sorry.
If you don't mind I will ask you few more questions about sharing later.
I want to try all what you suggest above first.
Thanks.
Michael.

 

[Roger Abell]

Roger,
1. if I will install TS in administrative mode. Is it only for
administrators or user that exist on server can log in under his local
profile?

You said you have one W2k3 server
TS in admin mode is installed automatically on W2k3
Default grant is to Adminsitrators, but login is not allowed
until enabled (Remote tab in System Properties, r-click My
Computer)
You can allow any account by making member of the Remote
Desktop Users group

2. > Instead, define a group and grant him a delegation on
He is a member of R&D dep. group. And he suppose to assign permisions to R&D
Folder and subfolders. How to grant him a delegation on the membership?
Where to click ? Sorry.

The delegation can be done at the OU level where the group is,
that is, if the group is in some OU you can r-click on the OU and
select the task to delegate, and then delegate management of group
memberships. That would cover all groups you put in that OU.
The delegation is nothing more than changes to the security setting
in the Security tab of the properties of the Group itself.

It would be of no advantage to delegate management of the group
membership if they are still able to alter the permissions of the
managed objects (ex. file storage area) instead of your controlling
the (filesystem) security settings and placing of these delegated
groups in the permissions grants.