Nozmoking
asked on
Need to grant read-only permissions to entire AD domain for a particular user
I have a Windows 2008 domain controller with a single domain that I need to grant read-only permissions for a particular user for all shares/files in the domain. I have researched this and have also tried delegating read-only access to the domain for a security group but that did not work. I'd hate to have to manually grant permissions to the shares
files the user currently cannot access - it would be a nightmare to manage and keep current. They do not need access to other computers or user control, just shares and files. Any thoughts?
files the user currently cannot access - it would be a nightmare to manage and keep current. They do not need access to other computers or user control, just shares and files. Any thoughts?
You can create a security group with a single member(or as many as your want), in the special permissions give him read only access, and that group to the highest level shares and have all shares inherit permissions from their parents.
ASKER
Thanks for the input. One thing that might be an issue is that the domain controller is a Windows 2008 box and all the shares and files live on a separate Windows 2000 box that used to be the DC. Do I modify the ACL on the DC or on the box where the actual files are?
ASKER
Since all of the shares and files in the domain are contained on a single logical drive I added a user with read-only access to the root of the drive but it didn't work. The share permissions still preempted the permissions set at the root of the drive and probably because some shares or folders do not inherit permissions from the parent. I'm not sure this can actually be done...
You would put the permissions on the folders them selves, From there you can point to the security group that you pointed to that already has the appropriate permission for the user set. Assuming that you have multiple folders set up inside of each other, make your life easier and have inherited permissions set up.
Is this a production network...are you only running with one DC?
Thanks
Mike
Thanks
Mike
ASKER
Yes - it's a production network with one domain and in this case one DC. This is a fairly old structure that has been handled by more than one administrator, and as I mentioned some folders do not inherit permissions. The issue is I have a company officer that wants to be able to view everything and I wouldn't want to make them a domain admin, nor do they want to be.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks
Mike