A place for info I've learnt in IT & stuff. (I get a little kick back from affiliate ads & links, just so you are aware)

Browsing Posts tagged Permissions

So in a domain environment and you have a share on a local PC. You setup the permissions on that share so only you can get to it, and you may have even hidden the share.

You support other uses, on their machine you type in the run box to try and get to your share


But instead of getting the Interactive Login Box appear so you can put in login details of your admin account that has access to that share. You get Access is denied.

So with the help of Jody this was the fix (although still looking for another fix that makes the login box always appear, which in most cases it doesn’t).

As the share has now been added to Net Use even though you were given Access is Denied, you need to delete it so go to a cmd and type

net use /d \\a2222\hidden$


net use x: \\a2222\hidden$ /user:DOMAINNAME\adminaccount *

The * is important as it then forces it to ask you for the password.

This will then map an X share to the users account while they are logged in.

You’ll then be able to go to this or just type \\a2222\hidden$ in the run field.

Try and remember to disconnect the X share after you finish or they’ll still have it when they login next. But this shouldn’t be a security issue as if they click on it, after logging off and on again, they’ll be prompted for a user name and password. And of course, they don’t have permissions to the share. But remember, if you leave the X connected and walk away, until they log off, they’ll have access to that share.

Leave a comment please if you know of another way to fix this so the Interactive login box pops up every time, that’s the true fix I want.

Domain Local Groups (These used to be plain Local groups).

Think of domain local groups as great hosts, literally anyone can be a member, users, Global groups, Universal groups, even computers can join a domain local group. Local groups are bad travellers and only operate in their own domain.

Best practice is to use local groups to assign permissions to resources like databases and printers.
Global Groups

These are great travellers, they can wander the entire Forest. The key point is that global groups are poor hosts and can only contain members from their own domain.

Best practice is to make global group your default group, and for starters, make a group to represent each of your departments.
Universal Groups

Another question for you, why is it sometimes the radio button against create Universal group is greyed out? The answer is when the Domain is in mixed mode you cannot create universal groups (NT 4.0 BDC’s would not understand them). You need to ‘raise domain level to Windows 2000 native before you benefit from universal groups. Think of universal groups as the ultimate container for nesting groups. They are good hosts and great travellers.

Best practice is make it rule to only include global groups inside Universal groups, no individual groups.
Global Catalog Implications

As you would expect, domain local and global groups are listed in the global catalog, however the individual members are not listed. So changes in global group membership have zero impact on global catalog replication traffic.

Universal groups on the other hand, not only are listed in the global catalog but also the individual users or nested groups are also listed. Now you can see that adding users to a universal group will generate replication traffic. That is why Guy says only put global groups inside universal groups, the individual members inside the global groups are not replicated.

In Windows 2000 the situation is that one change of membership to a universal group causes the whole list to be replicated, thankfully that changed in Server 2003, now only incremental changes are replicated not the whole list.

“Send on Behalf Of” allows one user to be able to send emails on behalf of another. The message will show the recipient who the message was sent on behalf of and who actually sent the message.
There are two ways of granting “Send on Behalf Of”:
• via Outlook
allowing a user to grant others to send on their behalf
• via Active Directory Users and Computers
which can be performed by system managers only
Grant Send on Behalf of via Outlook
This procedure will allow you to grant other users the ability to send on your behalf:
1. Start Outlook
2. Tools → Options, select the “Delegates” tab
3. Click on [Add …]
4. Add the user or users that you want to grant the send-on-behalf-of permission to, then click [OK]
5. The next window will allow you to specify which permissions you are granting. To allow send-on-behalf-of, you need to grant permissions on the “Inbox” to either “Author” or “Editor”, then click [OK]
6. Click [OK] to close the “Options” dialog.
• The above has been demonstrated to work when using Outlook 2003, but not with Outlook 2000 connected to a Exchange 2003 server (I have not had time to identify why).
• See also “How to send a message on behalf of another”
Grant Send on Behalf of via Active Directory Users and Computers
This procedure will allow system managers to grant users the ability to send on the behalf of other users:
1. Log onto the server running Exchange.
2. Run Active Directory Users and Computers.
3. Find the user’s account that you want to be able to send on behalf of, and open up the account properties.
4. Select the “Exchange General” tab.
5. Click [Delivery Options…]
6. Click [Add …] and add the user (or users) that are to be granted permission to send on behalf of this account.
7. Click [OK] to close the “Delivery Options” dialog.
8. Click [OK] to close the account properties dialog..
See also “How to send a message on behalf of another”.
How to Send a Message on Behalf of Another
To send an email on behalf of another (assuming you have been granted the necessary send-on-behalf-of privilege):
1. Start Outlook.
2. Go to your Inbox.
3. Click [New] to start a new mail message.
4. If the message does not show a “From” field then pull down the “View” menu and check “From Field”.
Note: I have noticed that if you have Outlook set to use Microsoft Word then the “From Field” does not appear in the “View” menu. The work around is to clear the option to use Word (Outlook → Tools → Options → Mail Format → Use Microsoft Office Word 2003 to edit e-mail messages), you will then be able to show the From field, and this remains even if you re-select to use use Word to edit emails.
5. Click [From…] and select the account that you wish to send an email on behalf of.
6. Compose the email as normal.
• When you try to send the email you will get an error if you have not been granted the necessary send-on-behalf-of permission.
• To the recipient the email will show both the true author and who it was sent on behalf of.

To allow send-on-behalf-of, you need to grant permissions on the “Inbox” to either “Author” or “Editor”

Someone’s mailbox is full. Go into their Outlook via your PC by giving yourself permissions to their mailbox. But if their e-mails aren’t showing, turn off mailbox cache and try again.

Check permissions on the PST file. This issue was simply READ ONLY was
set on the file disallowing it to load despite permissions set.

PST Issue

Permissions Table