Solved

Active Directory question

Posted on 2014-02-11
3
133 Views
Last Modified: 2014-02-20
Hello everyone

We are delegating certain administrative duties to a user within an Organizational Unit (OU). He should have pretty much, full rights to administer his OU, but no rights within the rest of AD.
He is trying to write login scripts, and perhaps other scripts for his users to execute. The problem is, when he goes to save these scripts, he’s denied access to save the scripts in the default, SYSVOL area.

Are there some kind of access rights I can give him as a delegate on that OU to be able to save the scripts to this area? If so, what are they? If not, how can we best accomplish this?


Cheers
0
Comment
Question by:Bibecu
3 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39851237
SYSVOL is by nature a read only folder but you could give this guy (or better the security group he is in) write privileges on the SYSVOL folder.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39851296
Try to avoid manual permissions on AD folders like Sysvol
Its not painless to recover Sysvol permissions if it created any problem with custom permissions

If you have file server accessible to all, you could create regular share  folder with everyone and authenticated users read permissions with delegated user modify rights on that so that he can use that folder path in GPO and users \ computers will read scripts from there

Also you need to grant him delegated rights to create GPO for his OU
This can be achieved by going GPMC\group policy objects container delegation tab and add required user to create\edit\modify\full GPO rights
This will allow him to create GPO in his OU and sub OUs if any

Mahesh
0
 

Author Closing Comment

by:Bibecu
ID: 39874729
Sorry for the delay answering to your post, I followed your advices and everything works very well  Thank you so much Malesh !
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can’t delete a file 14 136
Need to build a new server.  So which is better 2008 vs 2012 3 47
system state backup 1 30
No sign of locked-out users in Event Log 2 32
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now