Server Logon

[Shamim]

Dear Friends.
i want to give sharing rights to some users so that they
can share some folders on the network.I also want them to
to give them some adminsitrative rights of installing the
software,Printers and Join a workstation to the Domain,
but at the same time i want to restrict thier logon to my
Windows 2000 Domain Controllers.Can i set these
permissions through Delegation Wizard or Group Policy.

I will appericate your help

Cheers
Shamim.

 

[Steven L Umbach]

You can use delegation and group membership. Members of the local power
users/administrators groups can do most of what you want on a server [other than
domain controller] . Users can be delegated the right to add workstations to the
domain via delegation which gives them the permission to create computer objects.
However I think only domain administrators can install software on domain controllers
and there is good reason for that as only trusted and knowledgeable users should have
access to domain controllers. The user right for logon locally and deny logon locally
in the appropriate security policy [domain/local/OU] can be used to control what
computers a user can logon to as can their account properties in their domain AD
account with the "logon to" option. Be very careful with deny permissions as
administrators are also members of users and everyone group. The links below may
help. --- Steve

http://www.microsoft.com/technet/security/topics/issues/w2kccscg/w2kscgcd.mspx
http://www.microsoft.com/resources/...erver/reskit/en-us/distsys/part5/dsgappd.mspx