Windows 2003 Domain users need access to local computer files

  • Thread starter Thread starter Jake
  • Start date Start date
J

Jake

Hi,
Some (infrequent) users within our network use their own notebooks to
log on to our w2003 domain controller to access their home folders,
shared resources like common files and printers.

At the same time they have files in their local computer user account's
'My Documents' folder which they need to access (and modify) when logged
in as domain users. However when logged in to a domain thay cannot
access this local account's files.

Can someone here provide an elegant solution on how to painlessly gain
access to local account file resources when being logged on to a domain?
Preferrably via GPOs or a script..

Thanks for any comment

Jake
 
Hello,

For security reason, you shouldn't let them do this, but anyway it's not
your question.

By default, users can't access other users's profile. You have two way:
Make their domain user account local administrator. That's not a real issue,
they already have a local admin account.
Modify NTFS permission.

I would do the first as it's less dirty and doesn't make a hole in the
security (the hole is already there).



--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Jake" <jake44@gmail.com> wrote in message
news:Od9UT175HHA.5160@TK2MSFTNGP05.phx.gbl...
> Hi,
> Some (infrequent) users within our network use their own notebooks to log
> on to our w2003 domain controller to access their home folders, shared
> resources like common files and printers.
>
> At the same time they have files in their local computer user account's
> 'My Documents' folder which they need to access (and modify) when logged
> in as domain users. However when logged in to a domain thay cannot access
> this local account's files.
>
> Can someone here provide an elegant solution on how to painlessly gain
> access to local account file resources when being logged on to a domain?
> Preferrably via GPOs or a script..
>
> Thanks for any comment
>
> Jake
 
Mathieu CHATEAU skrev:
> Hello,
>
> For security reason, you shouldn't let them do this, but anyway it's not
> your question.
>
> By default, users can't access other users's profile. You have two way:
> Make their domain user account local administrator. That's not a real
> issue, they already have a local admin account.
> Modify NTFS permission.

Hi,

Thanks for the tip.

How do I automate that a group of domain users should get local
administrator rights...?

Jake
 
You may use restricted groups in GPO to make them members of local
administrators group.

If you have a few, it would be more simple to do it manually.

Don't mis choose the restricted group (you have two type), choose the "make
member". The other empty the local admins group before adding yours.

as always, test your gpo in a test OU with test computer before

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Jake" <jake44@gmail.com> wrote in message
news:eRDTWi95HHA.5796@TK2MSFTNGP05.phx.gbl...
> Mathieu CHATEAU skrev:
>> Hello,
>>
>> For security reason, you shouldn't let them do this, but anyway it's not
>> your question.
>>
>> By default, users can't access other users's profile. You have two way:
>> Make their domain user account local administrator. That's not a real
>> issue, they already have a local admin account.
>> Modify NTFS permission.
>
> Hi,
>
> Thanks for the tip.
>
> How do I automate that a group of domain users should get local
> administrator rights...?
>
> Jake
 
Mathieu CHATEAU skrev:
> You may use restricted groups in GPO to make them members of local
> administrators group.
>
> If you have a few, it would be more simple to do it manually.
>
> Don't mis choose the restricted group (you have two type), choose the
> "make member". The other empty the local admins group before adding yours.
>
> as always, test your gpo in a test OU with test computer before
>

OK, will try. Where exactly do I find the 'Restricted groups' in the
GPO hives...?

Other issues I should be aware of...?

regards

Jake
 
In the computer configuration, windows settings, restricted groups

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Jake" <jake44@gmail.com> wrote in message
news:uslnqWC6HHA.1212@TK2MSFTNGP05.phx.gbl...
> Mathieu CHATEAU skrev:
>> You may use restricted groups in GPO to make them members of local
>> administrators group.
>>
>> If you have a few, it would be more simple to do it manually.
>>
>> Don't mis choose the restricted group (you have two type), choose the
>> "make member". The other empty the local admins group before adding
>> yours.
>>
>> as always, test your gpo in a test OU with test computer before
>>
>
> OK, will try. Where exactly do I find the 'Restricted groups' in the GPO
> hives...?
>
> Other issues I should be aware of...?
>
> regards
>
> Jake
 
Back
Top