0

I have a domain group (called GSG_TECH_USER) which need "full control" right to the folder "document & setting" of all servers and workstation.

I made a test with this configuration:

  • On a workstation, add a local group LSG_PROFILE_RW
  • Add the domain group GSG_TECH_USER to LSG_PROFILE_RW
  • Go to the security of "Document & Settings" folder
  • Add the group LSG_PROFILE_RW with "full control"
  • Apply & test

Of course, the test fails, because inheritance is not checked for "doc & settings" folder.

Do you have any ideas ?

Thanks

Grégoire

EDIT
GSG_TECH_USER needs full control on folders & subfolders of "doc & settings". In other words, on all profiles.
More precisely, GSG_TECH_USER should be able to create folder in %USERPROFILE% (c:\doc&setting\user\) of all the profiles present in the computer. In this created folder, it should be able to create files & folders.
The users of GSG_TECH_USER are technical users, not human users; so local admin rights is a solution, but not the best.

podosta
  • 145
  • 1
  • 1
  • 7

2 Answers2

1

Any chance you can just throw them in backup operators? Not the best solution, but it prevents them from having administrator, while still giving them full R/W access (though to all files on the system!!!)

yasth
  • 355
  • 1
  • 3
0

Create a domain group and add the domain group to the local administrators group.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • I'm going to assume that there is a legitimate reason for not wanting to give full local admin to these people. Least privilege, man! – phuzion Jun 25 '10 at 17:23
  • 1
    i'm assuming that too, but since the OP didn't specify his security requirments I thought I'd put this out there. Let the OP do some work in describing his security needs instead of all of us having to write a thesis on it for him. – joeqwerty Jun 25 '10 at 17:31
  • edit made, more details available, tell me if you need more – podosta Jun 28 '10 at 07:56
  • And I used the GPO/Restricted Groups functionallity – podosta Jun 29 '10 at 08:31