Security requirements for setting up and managing DFS Replication
Applies To: Windows Server 2003 R2
The following table describes the groups that can perform basic DFS Replication tasks by default and the method for delegating the ability to perform these tasks.
| Task | Users or Groups That Can Perform This Task By Default | Delegation Method |
|---|---|---|
Create a replication group or enable DFS Replication on a folder that has folder targets |
Domain Admins group in the domain where the replication group will be created. |
Right-click the Replication node in the console tree, and then click Delegate Management Permissions. |
Administer a replication group |
Domain Admins group in the domain where the replication group is configured, or the creator of the replication group. |
Right-click the replication group in the console tree, and then click Delegate Management Permissions. |
Add a server to a replication group1, 2 |
If the server is a member server, the user must be a member of the local Administrators group of the server to add. If the server is a domain controller, the user must be a member of the Domain Admins group in the domain where the server is located. |
Add the user to local Administrators group of the member server to add, or add the user to the Domain Admins group of the domain controller to add. |
1Assumes that the user has been delegated the ability to administer the replication group.
2The server to be added must be online.
If you plan to delegate the ability to create and administer replication groups, note the following two important considerations:
If you delegate to a user or group the ability to create replication groups, and you later remove the user or group from the delegation list, there is no change to the security settings on existing replication groups.
If you delegate to a user or group the ability to administer a specific replication group, and you later remove the user or group from the delegation list, there is no change to the security settings on any existing configuration data. For example, if the user who is being removed had created a connection in the replication group, then the user would still have permissions to edit that connection because the user is the owner of the Active Directory object that contains the configuration information for the connection.