[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Need help ASAP in configuring rights for a special user

Posted on 2004-10-23
10
Medium Priority
?
187 Views
Last Modified: 2013-12-04
Hi all,
I am operating in a single domain in a single forest.  I have a user who does not need to be admin (in fact, he has created so many problems we need to remove him as an admin. (i.e. giving domain admin privileges to users so he can install their palm desktop software).
This may be simple for many of you, but for me as a newbie it has presented a challenge.  I need this information asap!  I have to configure rights for this user who needs to be able to do the following:

Add computers to domain (but not domain controllers or member servers)
Add printers to local machines
Account operator, but NOT for Administrators (He should be able to create/modify users but not be able to add admin privileges or take them away for anyone, including himself)
Do IIS management
Do Exchange management
Add/modify/delete folders on the server
Be an administrator on local machines

Many, many thanks in advance!!
Darla

0
Comment
Question by:dmcwherter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 3

Assisted Solution

by:farpost
farpost earned 1400 total points
ID: 12390830
Add computers to domain (but not domain controllers or member servers)
 - Edit group policy : computer configuration, -> Security Settings, -> User rights assignment. Select 'Add workstation to domain' and add user name.

Add printers to local machines
-  He will be able to add printers if he will have administrator rights on local machines. You can also add him to domain-wide group 'Print Operators' so he will be able to manage printers ( queues, priorities, etc.).

Account operator, but NOT for Administrators (He should be able to create/modify users but not be able to add admin
privileges or take them away for anyone, including himself)
 - add him to domain-wide group ' Account Operators'

Do IIS management
- There is no way to delegate iis administrator right (as I know). You can  run iis services under specific user account, it will grant him full permissions.
Do Exchange management
 - for exchange:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;168753

Add/modify/delete folders on the server
Be an administrator on local machines
0
 

Author Comment

by:dmcwherter
ID: 12394066
Wow, thanks.  I tested all of these out for the domain and appear to do what I want, with one exception.  With these settings, the user can still delete administrator accounts, although he cannot change the built in administrator password.  What can I do to lock it down so he cannot change anything in a particular OU?  I have the admins all in an OU called Admins.

Thanks again,
Darla
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 600 total points
ID: 12394199
Hi

Only on your OU for administrators (although this will work on any OU), right click it - then click security tab. Highlight the groups one by one that this guy is now a member of, and click advanced. You can then view special permissions for each group on this ou by clicking view/edit - remove the various rights ie to create user objects and delete user objects, computer objects, printer objects for account operators for this ou (when editing access permissions, always make thorough notes of the defaults and what changes you have made, so if you need to undo them at some point, you can easily). Bear in mind though that this will affect the rights of any member of the group account operators on that OU - so long as administrators still have full control you should be ok. I think that I would have created a security group for this chap, added him to it, and then set rights for this security group specific for him, but if what you've got works well then great,

Deb :))
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:dmcwherter
ID: 12394254
Hi Deb,
Thanks, it's starting to make sense now.  Only one problem.  When I right-click on the OU there is no security tab, not even under properties.  Am I looking in the wrong place?  This is a Win 2K3 domain controller.  Sorry, should've said that up front.
Darla
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12394360
Ah! - What I've said will work for a 2k dc, obviously not a 2k3 server. Now I'm only starting to look at Win2k3 as I'm introducing it soon to our domain and as of now I don't have access to the test server to check.What I do know is you can administer group policy via the gpmc on a 2k3 server - so maybe you need to look there - are you using that already? Have a good look through the following. I'll have a check tomorrow but will have to come back to you, if farpost hasn't by then,
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Deb :))
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12394368
Meant to add - What I've said will work for a 2k dc using active directory users and computers snap-in - The OU has to be a specific OU and not one of the default containers such as Users or Computers.
0
 

Author Comment

by:dmcwherter
ID: 12394488
Hi Deb,
Yes, only using Win 2K3 dcs at all our locations.  Just have always had trustworthy admins up to now.  This person isn't an employee so makes it doubly hard.  Have to be able to give access without letting him mess things up.  Go figure . . .I'll look at what you sent.  Thanks,
Darla
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12399695
Hi

Can you not just ban him from your premises????

Anyway - all you need to do to view the security options I described in Win2k3 server is - In active directory users and computers - click on the view menu, and make sure advanced features in ticked. You can then follow what I said as you'll now be able to see the security tab by rightclicking on an OU - properties - security - just as I said before be careful, and log carefully what you change (don't change administrators). You could always have a look at the delegation of control wizard to delegate exactly what you need him to be able to do, just in case membership of the built in groups like Account Operators doesn't do it.

Deb :))
0
 

Author Comment

by:dmcwherter
ID: 12401452
I would give anything if this guy would get fired, but working at a school, it's next to impossible for those kinds of things to happen, it seems.  My only alternative is to lock it down so he can do any more damage.

I had totally forgotten about the advanced features on the view menu.  Works like a charm.  Many many thanks for everything.  I'm splitting the points, hopefully fairly (my first question so hopefully am being politically correct!).

Darla
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12401501
No problem - points splitting is the fair option where you feel two or more people have assisted in providing a workable solution, so thanks, and glad to help,

Deb :))
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question