How to automatically assign administrative rights for all DFS replication groups in a domain on a computer that is running Windows Server 2003 R2 or Windows Vista (920728)


The information in this article applies to:

  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Vista Beta 2 English (United States)

Beta Information

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about how to obtain support for a Beta release, see the documentation that is included with the Beta product files, or check the Web location where you downloaded the release.

INTRODUCTION

This article describes how to automatically assign administrative rights for all Distributed File System (DFS) replication groups in a domain on a computer that is running Microsoft Windows Server 2003 R2 or Microsoft Windows Vista.

MORE INFORMATION

Currently, for every replication group that is created, a domain administrator or a user account that has the appropriate rights may assign administrative rights for the replication group.

The replication group configuration layout in the Active Directory directory service includes the DFSR-GlobalSettings object and the DFSR-LocalSettings object. The DFSR-GlobalSettings object contains the definition of the replication group, the topology of the replication group, and the replicated folders. The DFSR-GlobalSettings object is located under the System object. The DFSR-LocalSettings object describes the membership of a computer in a specific replicated folder. The DFSR-LocalSettings object is located under the computer object of the computer that is involved in the replication.

To grant a user administrative rights for a replication group, follow these steps:
  1. Grant the user full access to the replication group object and to the child objects of the replication group object.
  2. Grant the user full access to the DFS replication objects under each computer object for all computers that are members of the replication group.
DFS replication can replicate data from one computer to another computer. A user who can configure DFS replication on a specific computer is typically the local administrator of that computer. To automatically assign administrative rights for DFS replication groups, a user must be the local administrator for all the member computers in the replication group.

To automatically assign administrative rights for all DFS replication groups in a domain, follow these steps:
  1. Add an access control entry on the DFSR-GlobalSettings object for each user or for each group that is an administrator of the replication group. (An access control entry is a permission entry in a discretionary access control list.) This step gives the user full access to all replication group-related objects, but does not let the user create replication groups.

    Note The access control entry must give full access to the user and must apply only to child objects.
  2. Make each user the local administrator of each computer that is a member of a replication group.
Modification Type:MinorLast Reviewed:9/22/2006
Keywords:kbhowto KB920728 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.