Asked by:
Folder/File owner in domain gets set to "Administrators" and not their username

-
This is what Ive done:
Created a group named "Local Admin" and then created a GPO with Restricted Groups:
Group: DOMAIN\Local Admin
Member of: BUILTIN\Remote Desktop Users, BUILTIN\Administrators
So far so good, users get to do whatever they want with their computer...
I have a few problems with this setup:
* They can access other computers C$, all users can basicly do whatever they want to every computer on the network.
* When they create a folder/files on our network-share the owner is sat as: "Administrators" (Networkshare is a windows 2012 server)
q1: How do I do so that the user only got these privileges to the machine that they are logged in to?
q2: How do I get it to display who created the files and folders on the fileserver?
Question
All replies
-
> Created a group named "Local Admin" and then created a GPO with> Restricted Groups:> Group: DOMAIN\Local Admin> Member of: BUILTIN\Remote Desktop Users, BUILTIN\AdministratorsIf you want your users to be a local admin only on the workstation theyare currently logged in, you cannot use restricted groups - at least not"comfortably".If you use GPP Local Users and Groups instead, you can do the following:In a computer policy, clean out local administrators and add a global"Support group" to them.In a user policy, add the current user (not a group!) to the localadministrators, and do Item Level Targeting for "user is a member of agroup" or whatever fits your needs.> * When they create a folder/files on our network-share the owner is sat> as: "Administrators" (Networkshare is a windows 2012 server)This is expected behavior.
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-: -
> If you use GPP Local Users and Groups instead, you can do the following:>> In a computer policy, clean out local administrators and add a global> "Support group" to them.>> In a user policy, add the current user (not a group!) to the local> administrators, and do Item Level Targeting for "user is a member of a> group" or whatever fits your needs.Will this still display the owners of files and folders as "Administrators?
-
> Will this still display the owners of files and folders as "Administrators?Yes
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-: -