Link to home
Start Free TrialLog in
Avatar of Nozmoking
NozmokingFlag for United States of America

asked on

Need to grant read-only permissions to entire AD domain for a particular user

I have a Windows 2008 domain controller with a single domain that I need to grant read-only permissions for a particular user for all shares/files in the domain. I have researched this and have also tried delegating read-only access to the domain for a security group but that did not work. I'd hate to have to manually grant permissions to the shares
files the user currently cannot access  - it would be a nightmare to manage and keep current. They do not need access to other computers or user control, just shares and files. Any thoughts?
Avatar of Mike Kline
Mike Kline
Flag of United States of America image
If you just want them to access the shares/files then you will have to ACL them.  There is not group that gives universal read rights to all file shares.   You could give them read access at the root and let those permissions flow down and that might make your job a bit easier.

Thanks

Mike
Avatar of Chase Hubbard
Chase Hubbard
You can create a security group with a single member(or as many as your want), in the special permissions give him read only access, and that group to the highest level shares and have all shares inherit permissions from their parents.
Avatar of Nozmoking
Nozmoking
Flag of United States of America image

ASKER

Thanks for the input. One thing that might be an issue is that the domain controller is a Windows 2008 box and all the shares and files live on a separate Windows 2000 box that used to be the DC. Do I modify the ACL on the DC or on the box where the actual files are?
Avatar of Nozmoking
Nozmoking
Flag of United States of America image

ASKER

Since all of the shares and files in the domain are contained on a single logical drive I added a user with read-only access to the root of the drive but it didn't work. The share permissions still preempted the permissions set at the root of the drive and probably because some shares or folders do not inherit permissions from the parent. I'm not sure this can actually be done...
Avatar of Chase Hubbard
Chase Hubbard
You would put the permissions on the folders them selves,  From there you can point to the security group that you pointed to that already has the appropriate permission for the user set.  Assuming that you have multiple folders set up inside of each other, make your life easier and have inherited permissions set up.
Avatar of Mike Kline
Mike Kline
Flag of United States of America image
Is this a production network...are you only running with one DC?

Thanks

Mike
Avatar of Nozmoking
Nozmoking
Flag of United States of America image

ASKER

Yes - it's a production network with one domain and in this case one DC. This is a fairly old structure that has been handled by more than one administrator, and as I mentioned some folders do not inherit permissions. The issue is I have a company officer that wants to be able to view everything and I wouldn't want to make them a domain admin, nor do they want to be.

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial