Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

users need to get remote desktop access rights  to domain controller computer without administrator rights

Posted on 2007-11-22
6
Medium Priority
?
7,394 Views
Last Modified: 2013-11-21
I have single windows 2003 standard in the company.
the server is used as domain controller, software dev and file server.
in the file server each worker has his own folder with security/ sharing  rights just for him (and backup user).
some developers needs access to the server, e.g. to restart IIS, to terminate shared files sessions and so on
i want to give those developers terminal service access but when i add them to the remote desktop group the server does not allow them to log in remotely (they are  member of domain users, remote users)
when i add those developers to administrators group they are able to login through remote desktop but they can also change file server folders security = read whatever they want which i can't allow.

In simple words - i need to give some users the abilty to remotely connect and operate most actions on the server but without the abiltiy to change security rights on some folders (and without the ability to give themselves the right to do so...)

thanks.
0
Comment
Question by:pinkman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20334882
This is what you need.
http://support.microsoft.com/kb/234237/

Applies to both 2000 and 2003 DCs.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Comment

by:pinkman
ID: 20342028
it did not work
when domain user is a member of remote desktop users group and, as pointed in the above link, added to the scurity policy "allow log on locally" - he cannot log through remote desktop to the server that runs the Domain controller.
however the "server operators" builtin group can access through remote desktop without permissions to change security for files and folders it does not have rights on - this solves my concern regarding the file server.
i want to give my developers group the abilty to do all actions in the IIS - no success so far.
they were granted for all operations on the proper services - now they can start and stop the smtp service, ftp and www but fail to restart the IIS service ("IIS Admin Service") and i cannot grant them to view and change web sites. any ideas how to do it?
0
 
LVL 3

Assisted Solution

by:l84work
l84work earned 300 total points
ID: 20345083
You can use this work around.  

Create a .cmd or .bat file with the commands to restart the IISADMIN service using the SC command.
Set up a on-demand "scheduled task" to run the .cmd/.bat file with a saved administrator id/password.

Your devleopers can simply run the task to restart the IISADMIN service.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 450 total points
ID: 20347843
Just some food for thought - by allowing non-administrators to TS into a Domain Controller, you are making it fairly trivial for those users (or the next piece of malware that they download to their machine without realizing it) to compromise your DC, as you are granting a sensitive permission (log on locally) to an even more sensitive machine (your domain controller.)

As a security best-practice, I leave my DCs to do nothing but be DCs; if I need to run file & print, IIS, whatever, it goes on another box to avoid situations like the one you're describing.
0
 

Author Closing Comment

by:pinkman
ID: 31410565
to I84work for the creative idea, to LauraEHunterMVP because i took the advice and dedictaed a server just for DC and file server and my developers can go wild now:)
0
 
LVL 1

Expert Comment

by:RedAdvanced
ID: 24147233
I did use this setup in my domain, and I found the first comment the best solution.
Of course I do agree with LauraEHunter about allowing non-admin user to a DC, but as some environments are very small, this still is a option. I allowed the users and setup a policy which is very strict and the users cannot do anything on the DC so there is no harm.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question