Re: changing ACL/owner of local group

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Tue, 27 Jun 2006 09:31:15 -0400

You are correct, when a PU creates a group they as creator become owner of the group. You can use subinacl to modify the group ACL, see the /samobject switch.

http://www.microsoft.com/downloads/details.aspx?FamilyId=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Gregory L Priem wrote:

administrators have full privileges for groups local to a computer,
but power users appear to be able to modify only the local groups
which they themselves have created.

i would like to allow people in the power users group on the target
system to be able to create local groups [on the target system] which
they can then apply to files/folders/etc on that target system. this
is fine and good until the person changes job function and a different
person needs to manage the local group on the remote system. since
they are only a power user, they cannot manage the group's membership.
my assumption is that there is an ACL or owner setting for the local
group which says 'only allow administrators or the creator of the
group to modify the group'

i pretty much drew a blank looking for documentation on how to even
get a hold of the ACL/owner of a local group, which i imagine would be
the first step in my quest.

so.. does anyone have any pointers as to how to access and modify the
ACL/owner information for local groups?

Follow-Ups:
- Re: changing ACL/owner of local group
  - From: Gregory L Priem

References:
- changing ACL/owner of local group
  - From: Gregory L Priem

Prev by Date: Deleting SPN fails with 8203 (The attribute syntax specified to the directory service is invalid)
Next by Date: Re: changing ACL/owner of local group
Previous by thread: changing ACL/owner of local group
Next by thread: Re: changing ACL/owner of local group
Index(es):
- Date
- Thread

Relevant Pages

changing ACL/owner of local group
... but power users appear to be able to modify only the local groups ... i would like to allow people in the power users group on the target ... they can then apply to files/folders/etc on that target system. ...
(microsoft.public.platformsdk.security)
Power Users/Users
... Members of the Power Users group can create user accounts, ... They can create local groups and remove users from local ... They cannot modify the Administrators or Backup Operators ... >how can i change a user to a power user. ...
(microsoft.public.windowsxp.security_admin)