Solved

REstricting Access to the Server - For administrators

Posted on 2006-11-14
5
223 Views
Last Modified: 2012-03-15
Hi all,

I have a site that has a guy on it that up to now was looking after IT. Due to some difficulties we are taking away his abiliites to work on the server but we still want him to be able to do everything on the pc's such as join domain setup printers install software etc.

So basically I am looking for the best way to stop him logging into the server either at console or remote desktop and also prevent him from managing the server from another machine - but at the same time allow him to manage the pc's without a problem.

Windows 2003 is the OS

Thanks

Michael
0
Comment
Question by:mickinoz2005
5 Comments
 
LVL 9

Accepted Solution

by:
trenes earned 84 total points
ID: 17941221
Hi mickinoz2005,

Nice article from Sams.
http://www.samspublishing.com/articles/article.asp?p=98126&seqNum=5&rl=1

I think the best way is to delegate permissions through OU's in your situation. (If no other domains, sites etc)
But read the article and make your own choice.

Cheers!
regards,

Trenes
0
 
LVL 5

Assisted Solution

by:dynamitedotorg
dynamitedotorg earned 83 total points
ID: 17941312
The way I do it is to create a group for workstation admins. This has no particular privileges at all so doesn't allow the user to do anything to AD or a server. However using Group Policy you can automatically make it a member of the local administrators group on each PC thereby giving any member of that group full administrative rights on the PC.

You need to ensure that you only apply that group policy to the machines you want the users to administer, and keep it well away from any that you want to keep them off (e.g. the servers).

The only thing that that won't do is allow him to add machines to the domain. IIRC a normal user can add a certain number of machines anyway, but judicious use of delegation within AD (as outlined above) will sort that out.
0
 
LVL 2

Assisted Solution

by:thelastoftheend
thelastoftheend earned 83 total points
ID: 17942246
I agree with dynamitedotorg - remove this user from any domain admin groups and make him a member of a group which belongs to the local Administrators group on client machines only, applied via Group Policy.

To do this, open your Group Policy and locate the "Restricted Groups" node underneath "Computer Configuration-->Windows Settings-->Security Settings". Right-click and select "Add Group". Type Administrators as the name of the group - this implies the local Administrators group on any computer this is applied to. Click "Add members". Be sure to include "Administrator" and yourdomain\Domain Admins". This policy overwrites any current local Administrators group membership.  Here's a decent description of how to use the policy: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html.

In addition, I would do the following on the server:

1. Browse to "Administrative Tools --> Local Security Settings" (or if its a domain controller, "Administrative Tools-->Domain Controller Security Policy"). Drill down to "Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->User Rights Assignment".

2. Locate "Deny Logon Locally" and add the user to this right.

3. Locate "Deny Logon through Terminal Services" and add the user to this right.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Does AD authentification usually generate a lot of traffic ? 4 40
home drive migration 16 74
why user can't see mapped share folder 8 42
search on network drive not working 4 48
by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now