• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 188
  • Last Modified:

Need help ASAP in configuring rights for a special user

Hi all,
I am operating in a single domain in a single forest.  I have a user who does not need to be admin (in fact, he has created so many problems we need to remove him as an admin. (i.e. giving domain admin privileges to users so he can install their palm desktop software).
This may be simple for many of you, but for me as a newbie it has presented a challenge.  I need this information asap!  I have to configure rights for this user who needs to be able to do the following:

Add computers to domain (but not domain controllers or member servers)
Add printers to local machines
Account operator, but NOT for Administrators (He should be able to create/modify users but not be able to add admin privileges or take them away for anyone, including himself)
Do IIS management
Do Exchange management
Add/modify/delete folders on the server
Be an administrator on local machines

Many, many thanks in advance!!
Darla

0
dmcwherter
Asked:
dmcwherter
  • 5
  • 4
2 Solutions
 
farpostCommented:
Add computers to domain (but not domain controllers or member servers)
 - Edit group policy : computer configuration, -> Security Settings, -> User rights assignment. Select 'Add workstation to domain' and add user name.

Add printers to local machines
-  He will be able to add printers if he will have administrator rights on local machines. You can also add him to domain-wide group 'Print Operators' so he will be able to manage printers ( queues, priorities, etc.).

Account operator, but NOT for Administrators (He should be able to create/modify users but not be able to add admin
privileges or take them away for anyone, including himself)
 - add him to domain-wide group ' Account Operators'

Do IIS management
- There is no way to delegate iis administrator right (as I know). You can  run iis services under specific user account, it will grant him full permissions.
Do Exchange management
 - for exchange:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;168753

Add/modify/delete folders on the server
Be an administrator on local machines
0
 
dmcwherterAuthor Commented:
Wow, thanks.  I tested all of these out for the domain and appear to do what I want, with one exception.  With these settings, the user can still delete administrator accounts, although he cannot change the built in administrator password.  What can I do to lock it down so he cannot change anything in a particular OU?  I have the admins all in an OU called Admins.

Thanks again,
Darla
0
 
Debsyl99Commented:
Hi

Only on your OU for administrators (although this will work on any OU), right click it - then click security tab. Highlight the groups one by one that this guy is now a member of, and click advanced. You can then view special permissions for each group on this ou by clicking view/edit - remove the various rights ie to create user objects and delete user objects, computer objects, printer objects for account operators for this ou (when editing access permissions, always make thorough notes of the defaults and what changes you have made, so if you need to undo them at some point, you can easily). Bear in mind though that this will affect the rights of any member of the group account operators on that OU - so long as administrators still have full control you should be ok. I think that I would have created a security group for this chap, added him to it, and then set rights for this security group specific for him, but if what you've got works well then great,

Deb :))
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
dmcwherterAuthor Commented:
Hi Deb,
Thanks, it's starting to make sense now.  Only one problem.  When I right-click on the OU there is no security tab, not even under properties.  Am I looking in the wrong place?  This is a Win 2K3 domain controller.  Sorry, should've said that up front.
Darla
0
 
Debsyl99Commented:
Ah! - What I've said will work for a 2k dc, obviously not a 2k3 server. Now I'm only starting to look at Win2k3 as I'm introducing it soon to our domain and as of now I don't have access to the test server to check.What I do know is you can administer group policy via the gpmc on a 2k3 server - so maybe you need to look there - are you using that already? Have a good look through the following. I'll have a check tomorrow but will have to come back to you, if farpost hasn't by then,
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Deb :))
0
 
Debsyl99Commented:
Meant to add - What I've said will work for a 2k dc using active directory users and computers snap-in - The OU has to be a specific OU and not one of the default containers such as Users or Computers.
0
 
dmcwherterAuthor Commented:
Hi Deb,
Yes, only using Win 2K3 dcs at all our locations.  Just have always had trustworthy admins up to now.  This person isn't an employee so makes it doubly hard.  Have to be able to give access without letting him mess things up.  Go figure . . .I'll look at what you sent.  Thanks,
Darla
0
 
Debsyl99Commented:
Hi

Can you not just ban him from your premises????

Anyway - all you need to do to view the security options I described in Win2k3 server is - In active directory users and computers - click on the view menu, and make sure advanced features in ticked. You can then follow what I said as you'll now be able to see the security tab by rightclicking on an OU - properties - security - just as I said before be careful, and log carefully what you change (don't change administrators). You could always have a look at the delegation of control wizard to delegate exactly what you need him to be able to do, just in case membership of the built in groups like Account Operators doesn't do it.

Deb :))
0
 
dmcwherterAuthor Commented:
I would give anything if this guy would get fired, but working at a school, it's next to impossible for those kinds of things to happen, it seems.  My only alternative is to lock it down so he can do any more damage.

I had totally forgotten about the advanced features on the view menu.  Works like a charm.  Many many thanks for everything.  I'm splitting the points, hopefully fairly (my first question so hopefully am being politically correct!).

Darla
0
 
Debsyl99Commented:
No problem - points splitting is the fair option where you feel two or more people have assisted in providing a workable solution, so thanks, and glad to help,

Deb :))
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now