Granting Rights for One Location

[Angela61299]

Hi. We have a single domain Windows 2000 network with 4 locations that each have a domain controller. I have some specific tasks that I need to grant for our IT people in one location and I do not see these options if I try to "Delegate Control". They need to be able to install a local printer to the server and look at "Open Files" in Computer Management. Also, we figured out how to allow these users to connect to their server using Terminal Services, but when they login and look at the Properties of directories on the server, they are unable to share folders or even see the Sharing tab. Is there a way to grant users access to do these things on their server only ~ not throughout the entire domain? They are setup in their own OU. Thanks!

 

[mozingod]

I believe there's setting for that in the Group Policies. If they're in their own OU, make a new GPO and apply it to that one.

Darrell Mozingo

 

[MSMVP]

You will need to delegate the permissions to the OU, and if you have one OU per site, then part of the difficult job is done.

The much more difficult part is determining which permissions and properties you need to delegate. For example, if you go to the top of the OU, right click and go to properties, hit the security tab - by-pass the regular ACL screen and go to Advanced. Once in advanced, you can Add/Edit - so choose to Add, select the principal in the OU that you want to delegate Printer management to. In adding the attribute and properties permissions, you will need to select the pull down labelled 'Apply to:' and select Printer Object. Then, select 'Full Control'. Choose OK, then OK your way out.

This, BTW, is an easy one. Delegating permissions in this manner where the delegation wizard really does npt help requires an intimate knowledge of AD ACLs and permission structure. I'd suggest getting the book "Inside Active Directory" which really breaks down AD perms to a atomic level. Great book over all, but this one area is poorly covered in other books.



Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone -

http://www.microsoft.com/windowsxp/expertzone

 

[Angela61299]

Rick,

Thanks for this information and for providing it so quickly. We are fresh to W2K from Novell and it's been an adjustment! In AD Users & Computers, I right clicked the OU to which I need to grant rights, selected Properties, clicked the Security tab, clicked Advanced, then clicked Add and granted the group "Allow" to "Create Printer Objects". However, when I logged into the server as a user who is a member of the group I gave this right to, the option to add a local printer was still grayed out. Do I need to reboot the server before this change will take effect or something?

 

[Angela61299]

Rick,

Whoa. Sorry, I think I got too excited about your post and didn't read it all the way through. Let me go back and do the "In adding the attribute and properties permissions, you... etc." part and I'll post back. Thanks!

Angela

 

[Angela61299]

Rick,

Okay, I granted the group full control to Printer Objects and Add Local Printer is still gray. Any ideas?

Thanks,
Angela

 

[Seaspray0]

It takes time for the policies to be applied and replicated. If you wish to update them now, type the following at a command prompt...

c:\>secedit /refreshpolicy user_policy
c:\>secedit /refreshpolicy machine_policy

 

[Angela61299]

My option to add a local printer is still gray after trying the above. Does anyone have any other suggestions? Thanks.