I am looking for a way to make a read-only account that will have the ability to scan all files on a server. I have thought of a few ways to do this, but most require some degree of scripting to ensure that the account is granted read-only access to each individual file. One of the current recommendations is to add an account to the backup-operators, but this would allow the account to power off systems (which is not preferred). Does anybody have a good idea on how read-only account to be created and deployed to pre-existing servers as needed?

Hi, Thanks for posting in Microsoft TechNet forums. As far as I know, scripting is the best way to perform such task. We can also seek help regarding scripts from our script forum: http://social.technet.microsoft.com/Forums/en-US/ITCG/ Have a nice day. Regards Kevin

I have actually found a solution that appears to be acceptable. The Group Policy settings have a user "Backup files and Directories" right that gives an account the ability to read all files and traverse all directories, but not the ability to write, modify, delete or power down the domain. Because it is a group policy setting, there is no need for scripting permissions. I have tested this on three different servers and its worked across the board to date.

Thanks for sharing your solution. :)