?
Solved

Creating Specific User Rights On Windows 2003 Server

Posted on 2005-03-28
22
Medium Priority
?
711 Views
Last Modified: 2012-05-05
I am in charge of 26 windows servers at my company and they all go through a domain.  I will be upgrading all of them to Windows Server 2003.  How can I give specific rights to a user who logs on where they can only install a software with services (since it will be PeopleSoft software), that can start and stop a service, but cannot shut down, reboot, delete, download, etc.  We had problems before where too many users had administrative rights and I need to REALLY restrict access to these servers.  I am needing help immediately so any help would be greatly appreciated.

Michael
0
Comment
Question by:stryngz1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
22 Comments
 
LVL 3

Accepted Solution

by:
dlorenz earned 2000 total points
ID: 13647880
Most likely you will be wanting to look into Group Policy to manage the user restrictions (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/default.mspx).

I don't think you will be able to accomplish all of your goals, though.  When you give a user rights to do certain things, then you may be forced to allow them to do things you did not want.  For instance, you say you don't want the user downloading, but you want them to be able to install software.  To be able to install software, they will need to have write permissions to at least the directory where you want them to install software.  This will give them the ability to download a file to that directory, since write permissions are all you really need.

Now, there are still more tricks which might get you around this.  You could, say, set an invalid proxy in Internet Explorer (via Group Policy of course) for that user, and not allow users the ability to change the setting, but then they would not be able to use IE at all.  They could, however, still use command line ftp to download something.  We don't even need to get into the challenge of allowing users write permissions to enough of the registry to allow them to install software, but not to change various settings you don't want them to have access to.

The point is, setting restrictions can be a complicated process, with lots of testing, and some compromises that will need to be made.  If anybody can tell you all the settings you need in one post, my hats off to them.  Beyond that, group policy is the place you're going to need start, and please use these boards to post specific road blocks you run into.
0
 

Author Comment

by:stryngz1
ID: 13647903
How about then just creating a user where they can only install software with services and be able to start and stop the service?  Would that be in the link you provided?  I am new to this so please excuse my ignorance.  
0
 
LVL 3

Expert Comment

by:dlorenz
ID: 13648095
Yes and no.  The link is Microsoft's starting point for working with Group Policy.  You can find some good resources on the general subject, and I'm sure other users could point you to additional resources.

As for controlling abilities to start and stop services, this article should specifically help you:

http://support.microsoft.com/kb/256345/EN-US/

As for the software installation, that is can be tricky.  It really depends on how much you know in advance of what the software installer is going to do.  In general, to be able to install software, you need to be able to write to a directory on the hard drive, and create registry keys.  The directory is not that hard, you can tell your users always to install to a certain directory (like c:\program files) and give them full control of that and all sub-directories.  You would probably have to give write access to the Windows directory and sub-directories as well, as installers often like to place files there.

The registry is another animal.  It is often diffcult to know (unless you have some control over it), where an installer will need to create or edit registry values.  You could (through Group Policy as everything I'm talking about is), give the user control of the whole registry, and block their access to all control panel items.  A knowledgable user would still be able to go into the registry to directly edit settings you didn't want them to mess with.  

Again, I am sorry that I cannot give you more specific steps to do what you need.  Hopefully, the MS knowledgebase article will be helpful for starting and stopping services.  As for the rest of what you need to accomplish, pick up a good book and Active Directory with a good Group Policy section, or even a book on Group Policy itself.  It is something that takes time to get right, but can be very powerful when implemented properly.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 23

Expert Comment

by:sciwriter
ID: 13648308
If going to 2003-- you should do this ONLY when 2003 is installed.  Use the opportunity to make NEW USER GROUPS -- as in 90% of environments, the user groups are faulty anyway.  Make a new group ONLY associated with this privilege (or restriction) -- and remember, ANY USER can belong to more than one group -- i..e. additive priveleges.  So this new group -- ALONE -- will have access to this program directory, software, share or install.

You set the rules, but make them EXCLUSIONARY -- no one but a member of this group (and Admin) has these privileges.  Now, whomever login you create anew, if they are part of this group, they can do it, if not, they can't.


Does that solve the need?
0
 

Author Comment

by:stryngz1
ID: 13653803
Ok, I have a correction to make.  After discussing with my company this morning in a meeting and other IT, we don't want to set restrictions at the domain level since not all restrictions will apply to all servers.  So I will need to set restrictions locally.  So what I am needing to do (if possible) is set restrictions so a user can install software with services and start and stop that service.  Is it possible to only have access to one service or will they need access to all services?  We have been experimenting with "run as" but don't think that will work since they can run as administrator in pretty much anything.  At the same time I am writing this I am vigorously researching to find what we need.  The Group Policy I don't think will work since it is at the domain level.  In a nutshell I only want users to have access to what they are responsible for and nothing more.  For example, a user who is in charge of PeopleSoft should only have access to PeopleSoftand it's services.  If I could add more points I will but I believe the maximum is 500.  Any info would be greatly appreciated.  
0
 
LVL 3

Expert Comment

by:dlorenz
ID: 13654143
On the group policy note, set just those servers in to their own OU (organizational unit) and apply the special policy just to those servers or users.  In fact, alot of what you are talking about deals with user policies and not machine policies, so you could also just set those users (or a special set of user accounts or a group) into their own OU.  Group Policy is designed to allow different configuration for different machines.  There are an infinite number of ways to set up the structure.

You could create a special local user account, and adjust the privelages of that account, but remember that you will now have to maintain 26 seperate accounts for 26 servers.  That is why domains are used, so that you only have to maintain one set of accounts, and they can be used across an organization.

You could also create a local group with speical privelages, and add the user's domain account to that group.  That way, you can maintain the individual accounts centrally.  However, you would still be stuck adjusting privelages to 26 local groups.
0
 
LVL 3

Expert Comment

by:dlorenz
ID: 13654321
If you do want to proceed with managing the settings locally, you can do this in Adminsitrative Tools under Local Security Policy.  I do not do local restriction very often, so someone else may be able to point you to other ways to restrict a user via local machine settings.  It looks like you can also use group policy on a single machine when in a workgroup setting (please any other experts correct me if I'm wrong on this).  See these articles (the first is about XP but the basics should apply to server 2003):

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/customize_with_gp.mspx
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B325351

Also, some more information on setting software restrictions:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B324036

Good Luck.
0
 

Author Comment

by:stryngz1
ID: 13655265
Thanks for all of your help dlorenz.  Guess I will just have to read up on group policy and see if we can use that.  I am not familiar with group policy at all so any help would be appreciated in setting it up.  I was hoping that there was a fast more simple way to handle this since I am under the gun but since group policy seems to be the way to go guess they will have to wait on me then, lol.  Again thanks for your help and I'll let you know if I was successful it achieving what I wanted.  
0
 

Author Comment

by:stryngz1
ID: 13657432
hey dlorenz, I have started restricting rights and starting learning the group policy thing but I have one question, how do I implement my changes?  Just for testing purposes I created an OU called "Test" and moved a group in there with one user.  I also moved the server in there.  I tried enabling the cannot see "map a network drive" within the OU under the user configuration, but when I go to the server and log on as the user it still shows.  I also clicked the "No Override" under the options in the group policy tab under "Test" properties.  Do I need to activate it in any way?  I am beginning to understand this policy a little better but to actually implement my changes is where I am stuck.  I will keep on working at it but I just wanted to ask just in case it was a quicker response.  Thanks

Michael
0
 
LVL 3

Expert Comment

by:dlorenz
ID: 13657783
You should find Group Policy Management under Administrative tools.  If not, from a computer on the domain:

-click Start >> Run and type in "mmc".  
-Go to Fille >> Add Remove snap-in
-Click Add
-Select Group Policy Management and Click Add, then ok

Drop down Forest >> Domains >> Proper Domain >> and right click on the test OU

From there you either want Link an existing GPO or Create and link a new GPO.  You can try using link an exisiting GPO and see if you can see the GPO you created, or create and link a new GPO to start from scratch.  You must have GPOedit installed on the machine you are working on to use the create new features.
0
 

Author Comment

by:stryngz1
ID: 13663466
Thanks dlorenz, I was able to implement my changes without installing GPMC, however I had to add the user to the OU.  Is it possible to just implement these changes into a group or does it specifically have to be a user?  We have over 8000 users and they are in specific groups and we would prefer not having to move all of the users into the OU so it would be much easier and less time consuming if we could just implement the restrictions per group instead of per user.  Thanks
0
 
LVL 3

Expert Comment

by:dlorenz
ID: 13663938
You can only link a policy to a Domain or OU.  I have not tested this, but I believe that you could place all the users in question into a group, and just place that group into the OU for which you have linked your policy.  Keep in mind, though, and policies specified under the "User Configuration" of the GPO you linked to the OU will apply to users in that OU regardless of what machine they log on to (including machines which are not in that OU).  Settings applied to the "Computer Configuration" of you GPO linked to your OU will be applied to all machines in the OU, but have no effect when the user logs on to a computer outside that OU.  

Confusing enough?  Group Policy has always seemed a bit illogical to me.
0
 

Author Comment

by:stryngz1
ID: 13663991
That is what I did.  I created a group and placed 2 test users in the group.  I then added the group to the OU and enabled some restrictions for test purposes.  But when I log in using one of the users it doesn't implement it, it only works when I put the user into the OU, which is not what we are wanting.  And as for the computer configuration, so no matter what we set the computer too, the user configuration overrides that when you log on as a user in OU?  
0
 
LVL 3

Expert Comment

by:dlorenz
ID: 13664291
Sorry, this turned into a long response.  Make sure you read the last paragraph though as I think the solution might work for you.  The rest is just informational.

You can place both computers and users into OU's.  Every setting under "Computer Configuration" in a GPO applys to computers that are placed in the OU where the GPO is linked.  It doesn't matter what user logs in, those settings will be in effect.

Every setting under "User Configuration" applies to users that are placed in the OU where the GPO is linked.  No matter what computer they log into, they will get those settings.  "Computer Configuration" and "User Configuration" are, for the most part, different sets of settings.  

Most of the settings under "User Configuration" are things that can be set per user, like can they access the control panel or is Proxy turned on in Internet Explorer or what wallpaper is used.  These are all settings which, regardless or whether you set them through Group Policy or not, CAN bet set differently for each user that logs into a given machine.

Most of the settings under "Machine Configuration" are things that apply to every user who logs onto a machine.  Things like NTFS File Permissions or can a user connect to this machine using Remote Desktop.  These are all things which when changed, whether changed through Group Policy or not, will effect every user who logs in.

I have seen some settings which seem to conflict, but have never run into a situation where I've had to set both.  I honestly am not sure which setting would take precedence in this sitaution.

I did think of another way you can tackle your OU problem.  You can use security filtering when applying a GPO to and OU.  In group policy management, navigate to your TEST OU and and select the linked GPO under it.  In the right pane under the scope tab, take a look at the security filtering setting.  You can link a GPO to an OU, but then say it applies only to these specific groups or users.  You should also note that you can apply multiple GPO's to a single OU, and set there order of precedence.
0
 
LVL 15

Expert Comment

by:Naser Gabaj
ID: 13664325
If you have few services and softwares you want to make them able to run them I would suggest some different way to solve the issue it's about making those users to run those specific Services and softwares, using RUNAS VBS and then encode the files and ask them to run them whenever they want to run them, the script will be something like this i.e

runas /user:ADMINISTRATOR@YOURDOMAIN\ Program  

Here is more details
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

RUNAS VBS file and conversion to VBE encoded
 In between the (((((((()))))))))'s copy the following script into a text file. Rename it to VBS (do not copy the (())'s)
 (((((((()))))))))
 Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
' Replace the path with the program you wish to run c:\ etc...
oShell.Run "runas /noprofile /user:administrator ""C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"""
WScript.Sleep 100
'Replace the string yourpassword~ below with 'the password used on your system. Include tilde
oShell.Sendkeys "yourpassword~"
Wscript.Quit
 (((((((()))))))))
 The above script will use RunAs to open Microsoft Word as the local administrator. Replace the path
To WinWord with the path to a program of your choosing to open that program as the local admin.
Replace yourpassword with the password of the local admin, remember to leave the tilde at the end
Of the password- when sendkeys see's the tilde ( ~ ) it means Return, or Enter.
 We often like to have users open IE as a guest user (rather a user in the guest's group on the local machine)
 (((((((()))))))))
 
Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
' Replace the path with the program you wish to run c:\ etc...
oShell.Run "runas /noprofile /user:guest101 ""C:\Program Files\Internet Explorer\iexplore.exe"""
WScript.Sleep 100
'Replace the string GueSTPASs ~ below with 'the password used on your system. Include tilde
oShell.Sendkeys "GueSTPASs~"
Wscript.Quit
 (((((((()))))))))
 Once you've tested the vbs file (you can open a command prompt and type "cscript /nologo c:\ie.vbs" or double-click the vbs file)
You will probably want to encode it so that the passwords are hidden from the casual user. These are encoded files, not encrypted
There is a big difference. Encoded files can be Decoded very easily, but it's beyond most of the casual users' ability.
 To encode:
(download the http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en )
and to encode it, open a command prompt and type:
 screnc /l vbscript ie.vbs ie.vbe (the ie.vbs is the plain-text version, and the ie.vbe is the filename of the encoded version)
 That's really all there is to it! You can double click the vbe file or have it run from the cmd prompt using cscript

Let me know

Regards

Naser
0
 

Author Comment

by:stryngz1
ID: 13664734
My dilemma is that we have a folder in active directory called users that all of our users are in.  Group policy seems to want the user inside the OU instead of the group the user is a part of.  We really don't want to do that since our users password, login id, etc. are linked with LDAP.  In order for us to move all of the users into an OU folder we would have to go back and reset everything that points to the user folder from LDAP to the OU folder.  Just as long as the user is part of the group that is in the OU, then the user doesn't have to be in the OU also right?  If the user has to be in an OU folder I'm not sure if this is going to work for me.  I only want the group in the OU folder and associate users with that group but I don't want to move the users from it's current folder.
0
 
LVL 3

Expert Comment

by:dlorenz
ID: 13665850
You can link a policy at the domain level rather than the OU level, and use the Security Filter feature to only apply that policy to your selected group.  

I would think that putting the group in an OU would work, but as you indicated you had a problem with that.  Please note that it may require a full reboot in order to get the end-user computer to see policy changes.
0
 

Author Comment

by:stryngz1
ID: 13666640
Yeah, apparently you can't just create a group inside an OU and just have your users a member of that group.  You actually have to have your users in the OU group too.  I would think that just adding the group inside the OU would work.  This is going to be rough since I have over 7000 users.  Can anyone else verify this or is there a way to just put a group into an OU without the users and it works?
0
 
LVL 3

Expert Comment

by:dlorenz
ID: 13666943
Styngz1

A couple of questions to help me understand where you're at:

-Are you also indicating that linking the OU at the domain level and using security filtering did not work, or are you just worried that might get a little messy (it might)?
-At this point, do you have a GPO you are happy with and just need a way to implement it to the right users?

I'm also curious to see if anyone has more information on this Group in an OU scenario.  If you find anything out outside of EE on that topic, please post it.

Thanks
0
 

Author Comment

by:stryngz1
ID: 13666992
yeah, we are very worried it could get messy at the domain level.  That's what we were thinking of doing but we would have to be VERY VERY careful, that's why I didn't want to do that until we exhausted our options.  We seem to understand how it works as far as implementing the restrictions, our problem is it doesn't work unless you physically have the user inside the OU.  It seems not to care if the group is in there, just the user.
0
 

Author Comment

by:stryngz1
ID: 13673887
hey dlorenz, I found this article within the discussion group:

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20680039.html?query=ou+users&clearTAFilter=true

Guess you can't use groups only users.  I appreciate your help
0
 

Author Comment

by:stryngz1
ID: 13676074
CORRECTION!!!!  All you have to do is make sure the group that the user is a member of is set to the primary group in the user's properties.  I actually deleted all groups except for the one that I wanted the user associated with and it worked.  Thanks again for everyone's help.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question