Standard Domain user needs folder permission rights

[Ben_Stanton]

Hi,

I have one particular user that needs to be able to add/remove other domain users to a series of folders (these folders can all be within one dedicated folder). What is the best way of doing this? Obviously, I don't want that user to have domain admin rights. Can it be done?

Cheers

[srochford]

Do you have exchange?

If so, create a universal security group. Give that group the rights you need and make the person the manager of the group and tick the box saying "manager can update membership"

When that person wants to update who has access to the folder they just go into Outlook address book and update the address list. Because it's also a security group they change the effective permissions on the folder.

This can be quite a nice way of working - you often have a situation where a group of people are working together - this gives you a group email and a group folder.

If you don't have Exchange then you can give the person full control over that folder and they can add/remove users but this is a nightmare to maintain

[Ryan]

You can be very specific about who gets what for folders and files.

Right click on a folder and choose Properties. Click on Security tab then hit Advanced. Choose an entry (either user or group) and hit Edit. In here, you can allow them more (and very specific) control over what they can do, and the setting of permissions etc.

Test with a test account first perhaps, and be careful not to allow too many rights, just the ones they need.

@Steve: Interesting. Do you find this method of delegation works ok? Do people remember to update as and when req'd?

[Ben_Stanton]

Yeah, shjould have looked before creating a topic. Already done it using 'advanced' in secuirty. Knew I had seen it somewhere.

Thanks - good idea with exchange too.

[srochford]

@Steve: Interesting. Do you find this method of delegation works ok? Do people remember to update as and when req'd?

It's all they get :-)

We do get people who haven't got a clue; we have an intranet page with pictures of what to do which they can use. In general it works well and the biggest benefit is that you don't get "orphaned sids" (Joe Bloggs leaves and a folder still has their SID attached - there's no way of easily tracking down which folders Joe Bloggs was allowed to access).

it's also much easier to have people in groups - Joe Bloggs leaves and is replaced by Jenny Bloggs. All you have to do to make sure that Jenny has the same rights as Joe is to put her in the same groups as Joe - none of the "Oh, I think he used to be able to do xxxx" type stuff :-)