can I use GPO for remote folder management?

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,
we have one stand alone 2003 server.
I need to enable user access to the folder X on server. He needs to change
other users rights to subfolders of X folder.

The folder is shared. User1 has full share and NTFS permission to folder X.
A problem is that he can not assign rights remotely to other users. May be
because there is no AD. At this time I don't want to mess up with AD. Since
we have one AD on the subnet. When he clicks on subfolder he can add users to
subfolder but Windows alerts "that inherited permissions will be lost".
He did it few times. After that folder is unaccessible and I have to log in
locally to the server and reapply permissions...

Now user1 asking me a terminal service access to the server.
He says that by default there are 2 free licenses. Is that true?
I cannot find any ifo about free TS licenses. What I found that it will work
90 days. By the way can I buy 1 license? Or there is a minimum?

May be there is an option for solving my problem through Group policy.

How can I provide user rights for managing folder access remotely?

Thanks.
Michael.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

First, he is doing something wrong when attempting to
alter the permissions. Obviously he has the ability, as
he is destroying what is already there when he makes
changes, so it is not an issue of his being able to do this
as far as OS grants to him, but of how he is doing it.
That is a user training issue.

Second, you should not let him alter the permissions.
Instead, define a group and grant him a delegation on
the membership of that group. Then you one time set
that group to have the permissions you want him able
to grant to others.

None of this is something that falls into the area of
group policy.

Finally . . .
W2k3 does include an administrative mode install of
terminal services that allows for two simultaneous
connections. I would recommend that you do not give
this access away to a non-savy, non-admin unless you
know what you are getting into.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Michael A." <Michael A.@discussions.microsoft.com> wrote in message
news:5CDD6D2D-D713-4D37-8CA8-5A23AA454C67@microsoft.com...
> Hi,
> we have one stand alone 2003 server.
> I need to enable user access to the folder X on server. He needs to change
> other users rights to subfolders of X folder.
>
> The folder is shared. User1 has full share and NTFS permission to folder
X.
> A problem is that he can not assign rights remotely to other users. May be
> because there is no AD. At this time I don't want to mess up with AD.
Since
> we have one AD on the subnet. When he clicks on subfolder he can add users
to
> subfolder but Windows alerts "that inherited permissions will be lost".
> He did it few times. After that folder is unaccessible and I have to log
in
> locally to the server and reapply permissions...
>
> Now user1 asking me a terminal service access to the server.
> He says that by default there are 2 free licenses. Is that true?
> I cannot find any ifo about free TS licenses. What I found that it will
work
> 90 days. By the way can I buy 1 license? Or there is a minimum?
>
> May be there is an option for solving my problem through Group policy.
>
> How can I provide user rights for managing folder access remotely?
>
> Thanks.
> Michael.
>
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Roger,
1. if I will install TS in administrative mode. Is it only for
administrators or user that exist on server can log in under his local
profile?

2. > Instead, define a group and grant him a delegation on
> the membership of that group. Then you one time set
> that group to have the permissions you want him able
> to grant to others.
>
He is a member of R&D dep. group. And he suppose to assign permisions to R&D
Folder and subfolders. How to grant him a delegation on the membership?
Where to click :) ? Sorry.
If you don't mind I will ask you few more questions about sharing later.
I want to try all what you suggest above first.
Thanks.
Michael.

"Roger Abell" wrote:

> First, he is doing something wrong when attempting to
> alter the permissions. Obviously he has the ability, as
> he is destroying what is already there when he makes
> changes, so it is not an issue of his being able to do this
> as far as OS grants to him, but of how he is doing it.
> That is a user training issue.
>
> Second, you should not let him alter the permissions.
> Instead, define a group and grant him a delegation on
> the membership of that group. Then you one time set
> that group to have the permissions you want him able
> to grant to others.
>
> None of this is something that falls into the area of
> group policy.
>
> Finally . . .
> W2k3 does include an administrative mode install of
> terminal services that allows for two simultaneous
> connections. I would recommend that you do not give
> this access away to a non-savy, non-admin unless you
> know what you are getting into.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Michael A." <Michael A.@discussions.microsoft.com> wrote in message
> news:5CDD6D2D-D713-4D37-8CA8-5A23AA454C67@microsoft.com...
> > Hi,
> > we have one stand alone 2003 server.
> > I need to enable user access to the folder X on server. He needs to change
> > other users rights to subfolders of X folder.
> >
> > The folder is shared. User1 has full share and NTFS permission to folder
> X.
> > A problem is that he can not assign rights remotely to other users. May be
> > because there is no AD. At this time I don't want to mess up with AD.
> Since
> > we have one AD on the subnet. When he clicks on subfolder he can add users
> to
> > subfolder but Windows alerts "that inherited permissions will be lost".
> > He did it few times. After that folder is unaccessible and I have to log
> in
> > locally to the server and reapply permissions...
> >
> > Now user1 asking me a terminal service access to the server.
> > He says that by default there are 2 free licenses. Is that true?
> > I cannot find any ifo about free TS licenses. What I found that it will
> work
> > 90 days. By the way can I buy 1 license? Or there is a minimum?
> >
> > May be there is an option for solving my problem through Group policy.
> >
> > How can I provide user rights for managing folder access remotely?
> >
> > Thanks.
> > Michael.
> >
> >
> >
> >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"MLA!" <MLA@discussions.microsoft.com> wrote in message
news:8D4D1CC1-E6B6-4714-B8B3-CA94A5D45416@microsoft.com...
> Roger,
> 1. if I will install TS in administrative mode. Is it only for
> administrators or user that exist on server can log in under his local
> profile?
>
You said you have one W2k3 server
TS in admin mode is installed automatically on W2k3
Default grant is to Adminsitrators, but login is not allowed
until enabled (Remote tab in System Properties, r-click My
Computer)
You can allow any account by making member of the Remote
Desktop Users group

> 2. > Instead, define a group and grant him a delegation on
> > the membership of that group. Then you one time set
> > that group to have the permissions you want him able
> > to grant to others.
> >
> He is a member of R&D dep. group. And he suppose to assign permisions to
R&D
> Folder and subfolders. How to grant him a delegation on the membership?
> Where to click :) ? Sorry.
The delegation can be done at the OU level where the group is,
that is, if the group is in some OU you can r-click on the OU and
select the task to delegate, and then delegate management of group
memberships. That would cover all groups you put in that OU.
The delegation is nothing more than changes to the security setting
in the Security tab of the properties of the Group itself.

It would be of no advantage to delegate management of the group
membership if they are still able to alter the permissions of the
managed objects (ex. file storage area) instead of your controlling
the (filesystem) security settings and placing of these delegated
groups in the permissions grants.

> If you don't mind I will ask you few more questions about sharing later.
> I want to try all what you suggest above first.
> Thanks.
> Michael.
>
> "Roger Abell" wrote:
>
> > First, he is doing something wrong when attempting to
> > alter the permissions. Obviously he has the ability, as
> > he is destroying what is already there when he makes
> > changes, so it is not an issue of his being able to do this
> > as far as OS grants to him, but of how he is doing it.
> > That is a user training issue.
> >
> > Second, you should not let him alter the permissions.
> > Instead, define a group and grant him a delegation on
> > the membership of that group. Then you one time set
> > that group to have the permissions you want him able
> > to grant to others.
> >
> > None of this is something that falls into the area of
> > group policy.
> >
> > Finally . . .
> > W2k3 does include an administrative mode install of
> > terminal services that allows for two simultaneous
> > connections. I would recommend that you do not give
> > this access away to a non-savy, non-admin unless you
> > know what you are getting into.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Michael A." <Michael A.@discussions.microsoft.com> wrote in message
> > news:5CDD6D2D-D713-4D37-8CA8-5A23AA454C67@microsoft.com...
> > > Hi,
> > > we have one stand alone 2003 server.
> > > I need to enable user access to the folder X on server. He needs to
change
> > > other users rights to subfolders of X folder.
> > >
> > > The folder is shared. User1 has full share and NTFS permission to
folder
> > X.
> > > A problem is that he can not assign rights remotely to other users.
May be
> > > because there is no AD. At this time I don't want to mess up with AD.
> > Since
> > > we have one AD on the subnet. When he clicks on subfolder he can add
users
> > to
> > > subfolder but Windows alerts "that inherited permissions will be
lost".
> > > He did it few times. After that folder is unaccessible and I have to
log
> > in
> > > locally to the server and reapply permissions...
> > >
> > > Now user1 asking me a terminal service access to the server.
> > > He says that by default there are 2 free licenses. Is that true?
> > > I cannot find any ifo about free TS licenses. What I found that it
will
> > work
> > > 90 days. By the way can I buy 1 license? Or there is a minimum?
> > >
> > > May be there is an option for solving my problem through Group policy.
> > >
> > > How can I provide user rights for managing folder access remotely?
> > >
> > > Thanks.
> > > Michael.
> > >
> > >
> > >
> > >
> >
> >
> >