Avatar of netadminsge
netadminsge asked on

How do you allow a user to see Computer Managment details without being a local admin?

A Developer needs to be able to see what files are open on the file server (Windows Server 2003) in real time. Previously and on other Servers he has local admin rights which allows him to do this via the Computer Management console. We can't do the same thing on this server as making him the local admin will give him permission to user files that he isn't authorised to have access to. My goal is to somehow allow all the functionaility of Computer Management but without admin access to any of the user files on the server.

Removing the local admin groups permission from the user files is not an option.

Perhaps some group or local policy?
Windows Server 2003

Avatar of undefined
Last Comment
Net_Worker

8/22/2022 - Mon
Net_Worker

Yes create a group policy and a group for this user to be the only member. Apply the policy to this group only. Through the GPO give access to the Computer Management MMC only. This should fix your problem.
ASKER
netadminsge

Ok I'll give that a try.

Any idea where abouts the policy for enabling Computer Managment rights is?
Net_Worker

User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
netadminsge

Thanks found it.

Is there any way to link the GPO to a single server? All my servers are currently in the same OU. I can link the GPO I created to the OU no worries but I don't really want the user to have that for all servers in the domain.
Net_Worker

Try linking to a group instead of the OU and place the user and server into that group. Unfortunately I can't test that from where I am but I am fairly sure it will work
ASKER
netadminsge

I've done as you have suggested and confirmed that the policy works. Btw, you can only link to OU but then apply a filter by group in the scope of the Group Policy.

Unfortunately the policies I've modified do not get the effect I'm looking for.
Here is what I've done.
Restricted to only allowed snap-ins
Allowed Computer Management
Allowed Shared Folders

This has the desired effect of allowing the user to connect to Computer Management and only see the Shared Folders section. But when the user tries to see Open Files or any of the others, they get "You Do Not Have Permission to see the List Of Open Files by Windows Clients"

So next question is - where do I look to enable permission?

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Net_Worker

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
netadminsge

Are you suggesting adding the user into some sort of "Power User" group?

Ok... I've added my group as local "Power Users" to the server I would like them to monitor. And it worked.

This solution should fit the requirements as the main concern was that they do not have admin rights to the users files stored on the server.

Thanks for your time.
ASKER
netadminsge

Excellent quick responses that helped point me in the right direction. Thanks for you help.
Net_Worker

Your welcome.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck