I have a restricted user that needs to be able to use various net commands which at a minimum should include the "net file" command. If he opens up computer management and expands out Shared Folders then he sees the options for Shares, Sessions, and Open Files. What he needs access to is the "Open Files" option (which is the same as running "net file" from a command prompt) but he gets an access denied error when he tries to either view this folder or run the command from a command prompt.What is the least amount of rights that need to be granted in order for him to be able to perform these functions? At least two of the servers he will need to do this on are domain controllers if that matters.I haven't been able to find how to delegate authority to just the "net" command, as we are also getting the same error when he does net use and/or attempts to look at the open Shares or Sessions in the computer management MMC.Thanks!

Hi, You can use the utility Tweak UI to delegate the permission: 1. Log on to the Servers by using an account that has administrative permissions. Backup the system state by using NTBackup. 2. Download the Tweak UI from http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx 3. Double-click the TweakUiPowertoySetup.exe file, and then follow the steps in the wizard. 4. After you install the Tweak UI tool, click Start, point to All Programs, click Powertoys for Windows XP, and then click Tweak UI 5. In the Tweak UI dialog box, click Access Control. 6. In the right-pane, select the following items in the list under Access Control, click Change, add the user and delegate Full Control permission to the user: (1). Manage file and printing sharing. (2). Manage file/print server connections. (3). Manage file server open files. (4). Manage file/print server sessions. (5). Manage administrative shares. (6). Manage file shares. (7). Manage printer shares. 7. After that, restart the Server. More Information: How to prevent members of the Power Users group from creating network shares on Windows 2000 or later Windows operating systems http://support.microsoft.com/kb/823288 Hope it helps.

Some of the servers that require this are Windows 2000, so tweakUI isn't an option for those (the version for W2k doesn't have an Access Control tab).Since TweakUI is just a front end to make these changes, what exactly can I do on the back end for the same results?

Hi, The rights and default settings are stored in binary blob in the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity SrvsvcConfigInfo SrvsvcTransportEnum SrvsvcConnection SrvsvcServerDiskEnum SrvsvcFile SrvsvcSessionInfo SrvsvcShareFileInfo SrvsvcSharePrintInfo SrvsvcShareAdminInfo SrvsvcShareConnect SrvsvcShareAdminConnect SrvsvcStatisticsInfo These are all REG_BINARY and not human-readable. Therefore, I am afraid that we cannot change the rights directly in the registry. However, as the KB article described, you can make the security changes that you want on a Windows Server 2003-based computer or on a Windows XP-based computer. To do this, export the changed settings to a .reg file and then import the new registry settings on a Windows 2000-based computer. For the detailed steps, refer to the KB article http://support.microsoft.com/kb/823288

What about Windows Server 2008 ?TIA.