none
Folder/File owner in domain gets set to "Administrators" and not their username

    Question

  • This is what Ive done:

    Created a group named "Local Admin" and then created a GPO with Restricted Groups:
    Group: DOMAIN\Local Admin
    Member of: BUILTIN\Remote Desktop Users, BUILTIN\Administrators

    So far so good, users get to do whatever they want with their computer...
    I have a few problems with this setup:
    * They can access other computers C$, all users can basicly do whatever they want to every computer on the network.
    * When they create a folder/files on our network-share the owner is sat as: "Administrators" (Networkshare is a windows 2012 server)

    q1: How do I do so that the user only got these privileges to the machine that they are logged in to?
    q2: How do I get it to display who created the files and folders on the fileserver?

    Thursday, April 16, 2015 12:32 PM

All replies

  • > Created a group named "Local Admin" and then created a GPO with
    > Restricted Groups:
    > Group: DOMAIN\Local Admin
    > Member of: BUILTIN\Remote Desktop Users, BUILTIN\Administrators
     
    If you want your users to be a local admin only on the workstation they
    are currently logged in, you cannot use restricted groups - at least not
    "comfortably".
     
    If you use GPP Local Users and Groups instead, you can do the following:
     
    In a computer policy, clean out local administrators and add a global
    "Support group" to them.
     
    In a user policy, add the current user (not a group!) to the local
    administrators, and do Item Level Targeting for "user is a member of a
    group" or whatever fits your needs.
     
    > * When they create a folder/files on our network-share the owner is sat
    > as: "Administrators" (Networkshare is a windows 2012 server)
     
    This is expected behavior.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, April 17, 2015 8:51 AM
  • > If you use GPP Local Users and Groups instead, you can do the following:
    >  
    > In a computer policy, clean out local administrators and add a global
    > "Support group" to them.
    >  
    > In a user policy, add the current user (not a group!) to the local
    > administrators, and do Item Level Targeting for "user is a member of a
    > group" or whatever fits your needs.

    Will this still display the owners of files and folders as "Administrators?
    Friday, April 17, 2015 8:56 AM
  • > Will this still display the owners of files and folders as "Administrators?
     
    Yes
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, April 17, 2015 9:18 AM
  • Then its no solution for both of my problems. Its quite important to know who create files and folders...
    Friday, April 17, 2015 9:50 AM