• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 206
  • Last Modified:

Permissions required to view local users and groups on windows 2000 file/print server

Hello,

Looking for what type of permissions would be required to allow our support staff to view the members of local groups on remote file and print servers without adding them to the local administrators group, if this is possible.  Is there a group policy or registry setting that would allow them view-only access to the local groups and their members?  We are looking to remove local groups from our environment, given that we are in native mode, but need something as a temporary solution.

Thanks,

James
0
jwinzenz
Asked:
jwinzenz
  • 2
  • 2
1 Solution
 
Seelan NaidooMicrosoft Systems AdminCommented:
Add then to the Account Operators group

Account Operators is a local group that grants limited account creation privileges to a user.
Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers.

However, Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights
0
 
oBdACommented:
User permissions are basically enough to view group membership.
Unfortunately enough, if you connect remotely with the Management console, for whatever reasons, you won't get access to the users or groups.
If you have the Windows 2000 Resource Kit, you can use local.exe to get a list of group members on a remote computer:
local <GroupName> \\<ServerName>
0
 
jwinzenzAuthor Commented:
In this case, we have intentionally not added them to account operators, but rather have delegated them specific rights for basic user account creation and administration.  I will try the local.exe and see if this works.  Other than that, if they wanted to connect remotely with the management console, would they have to be in the local administrators group?

Thanks,

James

0
 
oBdACommented:
Yes, membership in local administrators will give them access; power users is not enough.
local.exe will work, though; I've used it successfully in logon scripts.
0
 
jwinzenzAuthor Commented:
Thank you for the information.  I have had one of them test local.exe, and based on the fact that it is a command-line tool that requires them to know the name of the local group, and our server local groups are not standardized, I don't think it will work for us.  But you did provide the information I needed, so again, thank you.

James
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now