MarkMichael
asked on
Handing people the administrator account - no thanks!
Hi Experts
I would like you suggestions here.
I have an SBS Server ready for a customer, in fact more than one.
We have a contact on site that will do anything we ask them to do on the server for us. Knowing that a full administrator user will be able to do absolutely anything on the server, we do not want to give this person the account. However, changing/checking backup of our USB drives would need a person to click the 'Safely Remove Hardware' option for the USB device. So here, they need login previleges.
Also, I don't want to give them access to other users mailboxes. Simply put, the full administrator account will be able to add 'Mailbox Rights' to peoples mailboxes and give themselves full access with the administrator account. I don't like the fact that one person in the company would be able to do this.
What account level should I give a contact on-site to be able to perform login tasks, change/check backup?
What do you guys give your on-site contacts?
I would like you suggestions here.
I have an SBS Server ready for a customer, in fact more than one.
We have a contact on site that will do anything we ask them to do on the server for us. Knowing that a full administrator user will be able to do absolutely anything on the server, we do not want to give this person the account. However, changing/checking backup of our USB drives would need a person to click the 'Safely Remove Hardware' option for the USB device. So here, they need login previleges.
Also, I don't want to give them access to other users mailboxes. Simply put, the full administrator account will be able to add 'Mailbox Rights' to peoples mailboxes and give themselves full access with the administrator account. I don't like the fact that one person in the company would be able to do this.
What account level should I give a contact on-site to be able to perform login tasks, change/check backup?
What do you guys give your on-site contacts?
we dont give them any access! when removeable usb drives have been used, just tell them to turn the switch off on the hdd, then unplug. does no damage whatsoever and are designed for this. the plug new one in and switch on power. sorted.
ASKER
Considering this, there is an event added to the event log stating that there is an issue. Nothing critical but I'd rather keep these to a minimum.
The users still need to check the backup for issues too, so I still need them to login.
Is there an account with certain access rights, which will allow me to do this. E.g. taking away Exchange Admins group from this user perhaps?
The users still need to check the backup for issues too, so I still need them to login.
Is there an account with certain access rights, which will allow me to do this. E.g. taking away Exchange Admins group from this user perhaps?
as far as i can remember without checking the server, the only account that has accfess to modify exchange is the administrator. even a styandard account should have rights to stop usb device and check backup software as long as you provide a shortcut to the backup soft. you seem very nervous of this person, its best you dont give them any more than you have to, and make sure you have removed 'everyone' from security privelidges throughout server 2k3.
The user neads to be added to the local 'Backup Operators'-group to manage backup jobs and logon locally.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights
* Log on locally
* Backup files and directories
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights
* Log on locally
* Backup files and directories
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.