• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 497
  • Last Modified:

Allow a server operator to share a folder

Hi :

i create an abc a/c (system operator)  through sevreal DCs of windows 2008 ,
I want abc canbe able to create and share in one of the DCs , it can create a folder
but when shraing and input username and password it said blocked by system admin ant not prohibit

ANY further setting i should config . I tried different GPO method or turn off firewall but it seem the same./
0
barrykfl
Asked:
barrykfl
  • 5
  • 3
3 Solutions
 
Prashant GirennavarCommented:
Can you please explain it in detail? Not able to understand your query properly.

Are you using a FILe server to create the Folder and share it? If yes , please make sure the user has an appropriate permission to do so.

Why are you referring to GPO?

SOme more details will help us to understand your problem.

Regards,

_Prashant_
0
 
Krzysztof PytkoActive Directory EngineerCommented:
I would not recommend allowing that for a user on Domain Controller because of security issue. However, if you really want to do that and you know what you are doning, change that policy under Deafult Domain Controller Policy

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment

and add that users into Impersonate client after authentication

Realogon user and check once again

Regards,
Krzysztof
0
 
barrykflAuthor Commented:
Hi : iSiek

Not work, it still prompt out no right to share and block by sys admin.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
Krzysztof PytkoActive Directory EngineerCommented:
Looks like DCs reboot might be required to get that new computer configuration policy
However, this is not a good idea to share folder from DCs and by regular users.

Why do you need this configuration ?

Krzysztof
0
 
barrykflAuthor Commented:
4 DCs 4 Administraors in different state , Only 1 Domain , delgate the corresponding OU to them already and add server operators role in their a/c , they can create folder in their DC but sharing is not allowed and prompt block by admin.

Of cox if grand them domain admin it work but seem too full access right!
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, but why they need to create shares on Domain Controllers ? :)
They should not be allowed for that. You can force them to use another domain member server to share data

As you described, you have implemented task delegation which is good practice. Do not break this practice and do not allow them sharing data from DCs :)

Krzysztof
0
 
barrykflAuthor Commented:
Dual to resource issue, the DC 's D: drive has to be FIlE sever no choice~ any idea?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Not good :/ DC should not be more than AD/DNS server. But in this case please let me test something in my lab. I will go back to you in some short time

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, I have test that in my test environment and this works fine (impersonate user after authentication policy). All you need is probably reboot all Domain Controllers to get applied modified Domain Controllers policy.

Please ensure if replication between Sites are working, run on each DC in command-line
gpupdate /force

Open in new window


and reboot DCs, one by one. After all test it again

Krzysztof
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now