Link to home
Start Free TrialLog in
Avatar of MarkMichael
MarkMichael

asked on

Handing people the administrator account - no thanks!

Hi Experts

I would like you suggestions here.

I have an SBS Server ready for a customer, in fact more than one.

We have a contact on site that will do anything we ask them to do on the server for us. Knowing that a full administrator user will be able to do absolutely anything on the server, we do not want to give this person the account. However, changing/checking backup of our USB drives would need a person to click the 'Safely Remove Hardware' option for the USB device. So here, they need login previleges.

Also, I don't want to give them access to other users mailboxes. Simply put, the full administrator account will be able to add 'Mailbox Rights' to peoples mailboxes and give themselves full access with the administrator account. I don't like the fact that one person in the company would be able to do this.

What account level should I give a contact on-site to be able to perform login tasks, change/check backup?
What do you guys give your on-site contacts?
Avatar of polo_boy
polo_boy

we dont give them any access! when removeable usb drives have been used, just tell them to turn the switch off on the hdd, then unplug. does no damage whatsoever and are designed for this. the plug new one in and switch on power. sorted.
Avatar of MarkMichael

ASKER

Considering this, there is an event added to the event log stating that there is an issue. Nothing critical but I'd rather keep these to a minimum.

The users still need to check the backup for issues too, so I still need them to login.

Is there an account with certain access rights, which will allow me to do this. E.g. taking away Exchange Admins group from this user perhaps?
as far as i can remember without checking the server, the only account that has accfess to modify exchange is the administrator. even a styandard account should have rights to stop usb device and check backup software as long as you provide a shortcut to the backup soft. you seem very nervous of this person, its best you dont give them any more than you have to, and make sure you have removed 'everyone' from security privelidges throughout server 2k3.
The user neads to be added to the local 'Backup Operators'-group to manage backup jobs and logon locally.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights
* Log on locally
* Backup files and directories
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial