Windows Server 2003
--
Questions
--
Followers
Top Experts
users need to get remote desktop access rights to domain controller computer without administrator rights
I have single windows 2003 standard in the company.
the server is used as domain controller, software dev and file server.
in the file server each worker has his own folder with security/ sharing rights just for him (and backup user).
some developers needs access to the server, e.g. to restart IIS, to terminate shared files sessions and so on
i want to give those developers terminal service access but when i add them to the remote desktop group the server does not allow them to log in remotely (they are member of domain users, remote users)
when i add those developers to administrators group they are able to login through remote desktop but they can also change file server folders security = read whatever they want which i can't allow.
In simple words - i need to give some users the abilty to remotely connect and operate most actions on the server but without the abiltiy to change security rights on some folders (and without the ability to give themselves the right to do so...)
thanks.
the server is used as domain controller, software dev and file server.
in the file server each worker has his own folder with security/ sharing rights just for him (and backup user).
some developers needs access to the server, e.g. to restart IIS, to terminate shared files sessions and so on
i want to give those developers terminal service access but when i add them to the remote desktop group the server does not allow them to log in remotely (they are member of domain users, remote users)
when i add those developers to administrators group they are able to login through remote desktop but they can also change file server folders security = read whatever they want which i can't allow.
In simple words - i need to give some users the abilty to remotely connect and operate most actions on the server but without the abiltiy to change security rights on some folders (and without the ability to give themselves the right to do so...)
thanks.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
This is what you need.
http://support.microsoft.com/kb/234237/
Applies to both 2000 and 2003 DCs.
Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
http://support.microsoft.com/kb/234237/
Applies to both 2000 and 2003 DCs.
Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
it did not work
when domain user is a member of remote desktop users group and, as pointed in the above link, added to the scurity policy "allow log on locally" - he cannot log through remote desktop to the server that runs the Domain controller.
however the "server operators" builtin group can access through remote desktop without permissions to change security for files and folders it does not have rights on - this solves my concern regarding the file server.
i want to give my developers group the abilty to do all actions in the IIS - no success so far.
they were granted for all operations on the proper services - now they can start and stop the smtp service, ftp and www but fail to restart the IIS service ("IIS Admin Service") and i cannot grant them to view and change web sites. any ideas how to do it?
when domain user is a member of remote desktop users group and, as pointed in the above link, added to the scurity policy "allow log on locally" - he cannot log through remote desktop to the server that runs the Domain controller.
however the "server operators" builtin group can access through remote desktop without permissions to change security for files and folders it does not have rights on - this solves my concern regarding the file server.
i want to give my developers group the abilty to do all actions in the IIS - no success so far.
they were granted for all operations on the proper services - now they can start and stop the smtp service, ftp and www but fail to restart the IIS service ("IIS Admin Service") and i cannot grant them to view and change web sites. any ideas how to do it?
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
to I84work for the creative idea, to LauraEHunterMVP because i took the advice and dedictaed a server just for DC and file server and my developers can go wild now:)
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
I did use this setup in my domain, and I found the first comment the best solution.
Of course I do agree with LauraEHunter about allowing non-admin user to a DC, but as some environments are very small, this still is a option. I allowed the users and setup a policy which is very strict and the users cannot do anything on the DC so there is no harm.
Of course I do agree with LauraEHunter about allowing non-admin user to a DC, but as some environments are very small, this still is a option. I allowed the users and setup a policy which is very strict and the users cannot do anything on the DC so there is no harm.
Windows Server 2003
--
Questions
--
Followers
Top Experts
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).