Granting create share directory permission in DC

[Guest]

Hi,

Apart from adding Server Operators or administrators to the target user, is
there any other way to do so. We have several remote offices. Each of them
have 2 DCs. one of them also acts as file server. We want site administrator
to have right to admin the DCs in his own site and also create share for his
office users usage, but I don't want him to have right to touch other DCs on
other sites. However, granting server operators or administrators does not
serve the purpose because they will have excess rights (e.g. logon to other
DCs in other sites)

 

[Paul Williams [MVP]]

We want site administrator to have right to admin the DCs in his own site

and also create share for his office users usage, but I don't want him to
have right to touch other DCs on other sites.

This cannot be done. You grant any access, no matter what, to one DC and
that user has that access across all DCs. This is a problem that is being
targeted in Longhorn - there will be Read Only DCs (RODCs) available that
will allow a local admin.

Until then, you have to weigh up the pro's and con's (mainly less pain in
the ass for you against security of the forest) and make a decision. If
this were a member server it wouldn't be an issue.

Sorry if this isn't what you want to hear. Perhaps you can script the
creation of shares. Or better yet, write some code that runs as a service
(with the correct permissions) that allows certain users to create shares.

 

[Guest]

Hi Paul,

Thanks for your info. Basically, I know it can't be done. I just want to
find someone to backup my point of view. Thanks!