Okay, so here's the scenario.
I want some of our helpdesk users to be able to create and manage subfolders on one of our server shares WITHOUT giving them the rights or necessity to login to the server. Now, whilst the I can manage most of the NTFS permissions (they need to be able to see the root of the share and be able to create folders and assign rights on the subfolders they create) the bit I can't get is the ability to change ownership of a subfolder to another user. I keep getting "This security ID may not be assigned as the owner of this object". I've modified the local security policy for local policies/user rights assignment --> "Take ownership of files or other objects" to the relevant domain group but it doesn't work.
I can get around this by making the domain group a member of the server's local administrators group but this was pretty much what I was trying to avoid since membership of the local Administrators group gives so many other privleges.
Any ideas? (Disabling UAC etc is not what I'm looking for, I want to tighten security not abandon it.)
Pete