Avatar of MarkMichael
MarkMichael asked on

Handing people the administrator account - no thanks!

Hi Experts

I would like you suggestions here.

I have an SBS Server ready for a customer, in fact more than one.

We have a contact on site that will do anything we ask them to do on the server for us. Knowing that a full administrator user will be able to do absolutely anything on the server, we do not want to give this person the account. However, changing/checking backup of our USB drives would need a person to click the 'Safely Remove Hardware' option for the USB device. So here, they need login previleges.

Also, I don't want to give them access to other users mailboxes. Simply put, the full administrator account will be able to add 'Mailbox Rights' to peoples mailboxes and give themselves full access with the administrator account. I don't like the fact that one person in the company would be able to do this.

What account level should I give a contact on-site to be able to perform login tasks, change/check backup?
What do you guys give your on-site contacts?
SBSExchangeWindows Server 2003

Avatar of undefined
Last Comment
Jeffrey Kane - TechSoEasy

8/22/2022 - Mon
polo_boy

we dont give them any access! when removeable usb drives have been used, just tell them to turn the switch off on the hdd, then unplug. does no damage whatsoever and are designed for this. the plug new one in and switch on power. sorted.
ASKER
MarkMichael

Considering this, there is an event added to the event log stating that there is an issue. Nothing critical but I'd rather keep these to a minimum.

The users still need to check the backup for issues too, so I still need them to login.

Is there an account with certain access rights, which will allow me to do this. E.g. taking away Exchange Admins group from this user perhaps?
polo_boy

as far as i can remember without checking the server, the only account that has accfess to modify exchange is the administrator. even a styandard account should have rights to stop usb device and check backup software as long as you provide a shortcut to the backup soft. you seem very nervous of this person, its best you dont give them any more than you have to, and make sure you have removed 'everyone' from security privelidges throughout server 2k3.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Henrik Johansson

The user neads to be added to the local 'Backup Operators'-group to manage backup jobs and logon locally.

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights
* Log on locally
* Backup files and directories
ASKER CERTIFIED SOLUTION
Jeffrey Kane - TechSoEasy

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question