Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 238
  • Last Modified:

Delegating admin permissions in SBS2003

We have three servers, one running Small Business Server 2003, and two running Server 2003 Standard SP2 (one for files, CRM, and as an additional DC,  the other for web development and a few other things.

We want to be able to grant certain users admin access to pretty much everything on the two Server 2003 machines, and some programs (e.g. DNS server) on the SBS machine, without giving them access to administer the domain.  

The brief from management is that we want to make sure that these users will not have access to certain files on the servers - and of course if they have admin rights it's possible for them to reset permissions.

I'm not sure about the best way to go about this - I've had a go at something similar in the past but it just ends up with the users not being able to do what they need to do!
0
David Haycox
Asked:
David Haycox
  • 3
  • 2
  • 2
3 Solutions
 
Toni UranjekConsultant/TrainerCommented:
Hi!

If you can make a sort of list what should users be able to do I might be able to help.

Toni
0
 
ocon827679Commented:
Create a local group on the server and a global on the domain.  Place the users in the global and the global in the local.  (MS best practice)

Add the local group to only those file resources that you want them to have access to.  If you must Deny them access to the files that management doesn't want them to see.  (Test this first as "deny" can really screw things up if you're not careful.)  You can place the global group in the DNS Admins group to allow them to administer DNS without giving them domain administrator priviledge.  
0
 
David HaycoxAuthor Commented:
toniur, here's your shortlist of what these users should be able to do:

1. Log on locally or by remote desktop to any of our servers
2. Administer SQL and CRM on the CRM server
3. Administer anything local on the web development server
4. Administer DNS on the domain
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ocon827679Commented:
You can give the group permissions to do all of these things that you've listed.  Log on locally can be granted in group policy or the local security policy, administer SQL and CRM is a permission that can be granted within the respective applications as is applying the group to be admins of the web site(s).
0
 
Toni UranjekConsultant/TrainerCommented:
To add to "ocon827679":

3. Anything local on web development server - local Administrators group. You can not administer IIS fully unless you are member of Administrators group.

0
 
ocon827679Commented:
Really - I didn't know that.  Thanks!
0
 
David HaycoxAuthor Commented:
toniur is right - in IIS (version 6 at least) I discovered that you need full Administrator access.  So I wasn't able to achieve everything I wanted, but most of it.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now