We have several W2K3 file & print servers maintained by our server team.
I am trying to follow least privileges principles and set up permissions for our account operators to have the minimum required rights on these servers to do their jobs. Done: 1. Create personal folders - No problem, NTFS rights on a folder for user drives solves this. 2. Set permissions on personal folders - No problem - Full rights for techs so they can set permissions. Problem: Create shares - As far as I can tell, only power users and administrators have the rights to create shares. I don't want the account operators to have the additional rights that come with the power user group. Bonus Problem: We have numerous drives holding different shares based on department and function. Giving the account operators rights to traverse through the root share on all non -system shares would ease their job. The ability to create a share using MMC and navigate through the root to the user share is just one example of this. I have not been able to find a way to effectively change the permissions on the root share (i.e. F$) without disabling all admin shares and creating more problems after a reboot or server service restart. Any help would be appreciated. Drew --------------------------------------------------------------------------- ---------------------------------------------------------------------------
