We're a small college, and I have one file share for an athletics team that I want to turn over to the coach. We don't track or have a group for athletic team members in Active Directory, and the coach wants to exclude certain people from certain sub-folders, so I want the coach to be able to add/remove accounts for his team directly in the security tab of the folder on his own. He knows enough and is tech-savvy enough to be able to handle this.
What I don't want him to be able to do is add/remove any of administration groups or special accounts: SYSTEM, Network Services (the folder is used with a web app), Domain Admins, AthleticDeptAdmin, etc.
Is it possible for me to give him access to change some of security options without giving access to remove those other permissions?
Best Answer
This is easy. As an example: make a sub folder called "Soccer" and make a matching group. Then delegate the ability for someone in athletics to add or remove users to the Soccer security group. As long as the Soccer group has sufficient access on the NTFS ACL for the Soccer folder, they won't need to touch file permissions at all.
People in the Soccer group will be able to see the Soccer sub folder.