I am running Windows Small Business Server 2003. We use it as a file
server and an Exchange Server in our office with about 6 users. We
have a number of shared folders that all 6 users access, but I have
one share that only 3 of us can access. It contains sensitive
business information that I want protected (both for me and for the
sake of my employees).
One of my employees is partly responsible for keeping our network up
and running, our Exchange server, printers, server data backups, etc.
He needs to be able to administer that server in almost every way (I
have no concerns about his abilities). However, I need him to not
have privileges to change folder permissions on folders that he does
not have access to.
I know this must be an easy task for a Windows Server expert, but none
of us are... and I can't find this answer anywhere online. Basically,
I need him to have ALL the privileges of an admin user, except the
ability to modify the permissions on a single folder. If I leave him
as an admin and remove his permissions to that folder he can still
reset them (doh! because he's an admin!). "Power Users" don't have
enough permissions for him to be able to do everything he needs to do
on the server.
That's it. Please help. |
Request for Question Clarification by
sublime1-ga
on
19 May 2006 00:59 PDT
hookjd...
I don't have 2003 SBS, I have Win2000, but I think you'll find
the process similar. If you've given your guy access to THE
Admin account log in, you'll need to change the password. Then
create a set of permissions specific to his usual logon name,
or create a logon name just for him, and then set the permissions
for his account.
After creating his logon username, you should be able to find it
by r-clicking on the main drive and looking at the list of
names on the Security tab under Properties. If his username isn't
there, click on Add to add it from the complete list. The name
should show up in the form of Computername [Computername\Username].
Once he's on the list, start by giving him Full Permissions for
the whole drive or drives or parts of the network you want him
to manage. Then go to the folders you want to protect, and right-
click on them and go to Properties -> Security tab.
Click on the Advanced button at the bottom. Now click on his user
name and click on View/Edit. This should give you access to an
extended list of permissions. You can leave them all checked except
'Change Permissions', and, perhaps, 'Read Permissions'.
You'll likely need to reboot.
I'm pretty sure that will work, but I have no way to test it, so
I won't post a formal answer 'til I hear back from you that it
worked, or that you need clarification.
Let me know...
sublime1-ga
|
Clarification of Question by
hookjd-ga
on
19 May 2006 08:32 PDT
Thanks for your answer, but I'm afraid that doesn't do it. I have
created a user account for testing this out. When I create a user
account, I use the "Administrator Template" to create it (which I
think is where the problem lies). But I have gone to the share I want
to deny access to and moved all the permissions to "deny" for this
user, including "change permissions" just as you suggested.
But when I log in as this user I can still go to the share, look at
the properties, and give myself full control of the folder without
problem.
I think it must be to do with the user template I am using, it must
override the permissions on the specific object to allow me to do
anything I want. I think my ultimate goal will be to create a new
user template that has all the permissions of an admin, except the
ability to change file/folder permissions. In SBS, this is not at all
clear how this will work.
To reiterate, I need this user to be able to log in remotely to our
server and have complete to control to all aspects, including
installation of software, administering printers, everything. I just
want him not to be able to access one folder and not have the ability
to modify the system to give himself access to that folder.
|
Request for Question Clarification by
sublime1-ga
on
19 May 2006 12:40 PDT
> But when I log in as this user I can still go to the share, look at
> the properties, and give myself full control of the folder without
> problem.
This does sound like it's due to the use of the "Administrator Template",
though I'm not familiar with this. Perhaps it's an aspect of SBS 2003.
I don't see it in Windows 2000. I was thinking you would create the new
user, logged in as Administrator, from Start -> Settings -> Control
Panel -> Users and Passwords, and then proceed to set permissions as
I described previously.
If that doesn't work, I'm afraid I'm stumped on this one. Perhaps
another researcher will be able to assist you. Until a researcher
posts a formal answer, the question remains open to everyone, and
you are not charged.
Let me know if this makes any difference...
sublime1-ga
|
Clarification of Question by
hookjd-ga
on
19 May 2006 14:49 PDT
OK Thanks. It seems like someone familiar with SBS 2003 should be
able to quickly advise me how to do this. We are using all the
default templates and this is the one difficulty we have had.
|
