Solved

Need help ASAP in configuring rights for a special user

Posted on 2004-10-23
184 Views
Last Modified: 2013-12-04
Hi all,
I am operating in a single domain in a single forest.  I have a user who does not need to be admin (in fact, he has created so many problems we need to remove him as an admin. (i.e. giving domain admin privileges to users so he can install their palm desktop software).
This may be simple for many of you, but for me as a newbie it has presented a challenge.  I need this information asap!  I have to configure rights for this user who needs to be able to do the following:

Add computers to domain (but not domain controllers or member servers)
Add printers to local machines
Account operator, but NOT for Administrators (He should be able to create/modify users but not be able to add admin privileges or take them away for anyone, including himself)
Do IIS management
Do Exchange management
Add/modify/delete folders on the server
Be an administrator on local machines

Many, many thanks in advance!!
Darla

0
Question by:dmcwherter
    10 Comments
     
    LVL 3

    Assisted Solution

    by:farpost
    Add computers to domain (but not domain controllers or member servers)
     - Edit group policy : computer configuration, -> Security Settings, -> User rights assignment. Select 'Add workstation to domain' and add user name.

    Add printers to local machines
    -  He will be able to add printers if he will have administrator rights on local machines. You can also add him to domain-wide group 'Print Operators' so he will be able to manage printers ( queues, priorities, etc.).

    Account operator, but NOT for Administrators (He should be able to create/modify users but not be able to add admin
    privileges or take them away for anyone, including himself)
     - add him to domain-wide group ' Account Operators'

    Do IIS management
    - There is no way to delegate iis administrator right (as I know). You can  run iis services under specific user account, it will grant him full permissions.
    Do Exchange management
     - for exchange:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;168753

    Add/modify/delete folders on the server
    Be an administrator on local machines
    0
     

    Author Comment

    by:dmcwherter
    Wow, thanks.  I tested all of these out for the domain and appear to do what I want, with one exception.  With these settings, the user can still delete administrator accounts, although he cannot change the built in administrator password.  What can I do to lock it down so he cannot change anything in a particular OU?  I have the admins all in an OU called Admins.

    Thanks again,
    Darla
    0
     
    LVL 20

    Accepted Solution

    by:
    Hi

    Only on your OU for administrators (although this will work on any OU), right click it - then click security tab. Highlight the groups one by one that this guy is now a member of, and click advanced. You can then view special permissions for each group on this ou by clicking view/edit - remove the various rights ie to create user objects and delete user objects, computer objects, printer objects for account operators for this ou (when editing access permissions, always make thorough notes of the defaults and what changes you have made, so if you need to undo them at some point, you can easily). Bear in mind though that this will affect the rights of any member of the group account operators on that OU - so long as administrators still have full control you should be ok. I think that I would have created a security group for this chap, added him to it, and then set rights for this security group specific for him, but if what you've got works well then great,

    Deb :))
    0
     

    Author Comment

    by:dmcwherter
    Hi Deb,
    Thanks, it's starting to make sense now.  Only one problem.  When I right-click on the OU there is no security tab, not even under properties.  Am I looking in the wrong place?  This is a Win 2K3 domain controller.  Sorry, should've said that up front.
    Darla
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    Ah! - What I've said will work for a 2k dc, obviously not a 2k3 server. Now I'm only starting to look at Win2k3 as I'm introducing it soon to our domain and as of now I don't have access to the test server to check.What I do know is you can administer group policy via the gpmc on a 2k3 server - so maybe you need to look there - are you using that already? Have a good look through the following. I'll have a check tomorrow but will have to come back to you, if farpost hasn't by then,
    Enterprise Management with the Group Policy Management Console
    http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

    Deb :))
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    Meant to add - What I've said will work for a 2k dc using active directory users and computers snap-in - The OU has to be a specific OU and not one of the default containers such as Users or Computers.
    0
     

    Author Comment

    by:dmcwherter
    Hi Deb,
    Yes, only using Win 2K3 dcs at all our locations.  Just have always had trustworthy admins up to now.  This person isn't an employee so makes it doubly hard.  Have to be able to give access without letting him mess things up.  Go figure . . .I'll look at what you sent.  Thanks,
    Darla
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    Hi

    Can you not just ban him from your premises????

    Anyway - all you need to do to view the security options I described in Win2k3 server is - In active directory users and computers - click on the view menu, and make sure advanced features in ticked. You can then follow what I said as you'll now be able to see the security tab by rightclicking on an OU - properties - security - just as I said before be careful, and log carefully what you change (don't change administrators). You could always have a look at the delegation of control wizard to delegate exactly what you need him to be able to do, just in case membership of the built in groups like Account Operators doesn't do it.

    Deb :))
    0
     

    Author Comment

    by:dmcwherter
    I would give anything if this guy would get fired, but working at a school, it's next to impossible for those kinds of things to happen, it seems.  My only alternative is to lock it down so he can do any more damage.

    I had totally forgotten about the advanced features on the view menu.  Works like a charm.  Many many thanks for everything.  I'm splitting the points, hopefully fairly (my first question so hopefully am being politically correct!).

    Darla
    0
     
    LVL 20

    Expert Comment

    by:Debsyl99
    No problem - points splitting is the fair option where you feel two or more people have assisted in providing a workable solution, so thanks, and glad to help,

    Deb :))
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
    This video discusses moving either the default database or any database to a new volume.

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now