This also gives them permission to take ownership of any subfolder which negates everything. I would like the account operators group to not be able to browse users home directories, but I need to give them FC permissions (applied to "This folder and Subfolders") so they can lower permissions for each user. Maybe using myself as example won't work (I thought keeping simple as possible would be best), so here is the detailed problem: Our help desk normally does the account creating and home folder assigning, and are in the account operators group. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. this should give you a taster:Īccount Operators is a default groups located in the Builtin container. ![]() using the Account Operator group will open your AD domain up to members of that group. ![]() use delegation rather than builtins such as Account or Server or Backup Operators. PM, Just to add to what Marcin said, using built-in groups is generally a bad idea.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |