[Bruinaholic]

I am trying to get use to active directory to I have begun fooling around with it. What I am trying to do is add a user in AD users and computers which I did under users. I called it user1. I then want to set up an organizational unit to limit the user to only have read permissions and test it. How do I go about doing this please? I appreciate any help.

[Advertisements]

With server 2000 & AD you tend to set permissions on the folders / programs as to who can access them and what access they have.

[peterm]

With server 2000 & AD you tend to set permissions on the folders / programs as to who can access them and what access they have.

[dsenette]

also...OU's (organizational units) are just that...units for organizations...you cannot assign permissions to OU's...you can assign group policy to them...but this doesn't effect file permissions...file permissions are easiest to control by making security groups within the AD structure for each required level of access...i.e you would make a group named accounting for the accounting department and one named purchasing for the purchasing department....then you would assign permissions in such a way that the purchasing group doesn't have access to accounting and the accounting group doesn't have access to purchasing etc...


p.s. i LOVE active directory...it's one of the funnest things i've ever worked with...can be easy or complex...depending on what you're doing

[Bruinaholic]

Ok guys, like I said previously I am just fooling around but this is what I did so far. I have a domain called stooges. I created a group called accounting and added user10, user20 and user30 to it. I am trying to delegate control for accounting. This is what I've done so far I select "create a custom task to delegate", select next. select "only the following objects in the folder", select "group objects", select next. Under permissions I select "read", click next, click finish. I set this up just to see if I can edit a file and hoping it won't let me.

When I try to log on I get the following "the local policy of this system doesn't permit you to logon interactively" when I try logging in as user10. Why is this and how do I fix this so I can logon as user10, please? I appreciate any help.

[dsenette]

ah...you're trying to log on to the SERVER as one of these users? that's not gonna work...well...without some modifications....by default in AD you can only log on to a domain controller as a member of the domain admins group...if you were logging on to another client machine that was joined to the domain...then the story would be different....for a user to be able to log on to the domain controller (like physically on that computer) you need to change the domain controller policies (start > programs > administrative tools > domain controller security policy) to state that these users can log on locally

[Bruinaholic]

So if I want to control the way people or groups certain rights on a domain I have to use domain controller security policy or domain security policy. What is the purpose of AD then, please in 2000 server?

[Bruinaholic]

ah...you're trying to log on to the SERVER as one of these users? that's not gonna work...well...without some modifications....by default in AD you can only log on to a domain controller as a member of the domain admins group...if you were logging on to another client machine that was joined to the domain...then the story would be different....for a user to be able to log on to the domain controller (like physically on that computer) you need to change the domain controller policies (start > programs > administrative tools > domain controller security policy) to state that these users can log on locally

I did what you said to do but when I try logging on locally I still get "the local policy of this system doesn't permit you to logon interactively" How do I fix this please?

TIA

[Bruinaholic]

bump

[Bruinaholic]

bump

[dsenette]

please don't bump your topics...it's kind of annoying....