Solved

how to manage servers without manage users and groups?

Posted on 2008-10-06
9
352 Views
Last Modified: 2013-12-05
Hi there... long time without asking a question... here we go:

I have a W2K domain (not native mode) with a bunch of member servers and 6 domain controllers. In this company decided to create a new role called "servers administrators" and it cannot be member either domain admins or local administrators groups.

This new role will manage all about servers (only servers, not workstations) and they should not manage in any way groups and/or users (neither local nor global).

(a) Which is the best way (less time and less impact) to give a group/user only those access rights that allow it to manage everything related to server administration (monitoring, upgrade, patch, manage folder access rights, backup/restore, take ownership, force log off, and so on) but group/user administration?

(b) Is there a way to accomplish this using the standard groups (I mean, using a "server operators"-like group in W2K) or should I create a separate group for them?

(c) Which are the access rights that should I grant to deny only user administration?

To Clarify:
- the new role "servers administrators" can do anything on any server (including domain controllers)
- they should NOT shutdown domain controllers
- they should NOT administer DNS/WINS/DHCP
- they should NOT manage GPOs
- the new role "servers administrators" cannot manage workstations
- "servers administrators" cannot manage local/domain users  and  local/domain groups
- There are NO short/mid-term plans to neither migrate to 2003/2008 (unfortunatelly) nor raise the domain functional level to native.
0
Comment
Question by:CJRODRIG
  • 5
  • 4
9 Comments
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22655322
maybe increasing question points will get your answers/comments...
0
 
LVL 14

Expert Comment

by:plug1
ID: 22658399
Im afraid once you have given  a user admin rights on a domain then that user has the right to take more permissions as they see fit. So no you cant majke them admins in some respects and not in others Im afraid.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22659232
What about the "servers operators" group? They, according to MS explanation, can manage DCs without managing user/groups accounts... Can I create a group like that in W2K (honestly, I don't remember if that group already exists in W2K)... If so, Can I grant certain user rights (by GPOs) add/remove this group in some security Options (GPO too), check some "allow"s or "deny"s at Active Directory (either raw or user-friendly way) for certain objects, that allow me to accomplish this?
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22659302
a final note: most important here is that new "servers admins" must not manage users/groups neither local nor global (at least: cannot create new users/groups and cannot edit any existing users/groups)... Don't care about other stuff...
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 14

Expert Comment

by:plug1
ID: 22659774
The server operators group can only work on DC's.
0
 
LVL 14

Expert Comment

by:plug1
ID: 22659784
Once they have the admin rights do do all of the other stuff you need them to do they will also have the right to change users and groups.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22740213
Sorry for late responses... I were away for a week without an internet connectoin available...

Well, what we are doing is placing the custom "Server admins" group into "Power Users" built-in group. We created a separate OU and moved all servers to that OU. Then created a GPO to add "Servers Admins" to "Power users" using "Restricted Groups" option. In this way, for member servers, they cannot manage groups "greater than" Power users, I mean, they cannot manage by exaple Administrators group.

The problem with this approach is they can create local users on servers, and add them to Power users group.... The membership to Power Users group is solved by the GPO because when refreshes it the setting in the policy overwrites all modifications done by a user.

So the only issue pending is how to prevent a power user to create local users??? Is there a way to restrict it using GPOs too?

Please answer this last question to grade it ASAP.

Best regards to all
0
 
LVL 14

Accepted Solution

by:
plug1 earned 500 total points
ID: 22740361
Sorry mate, the problem still stands, once they have the power users right then they have them. They will be able to create local users and change permissions. Theres not much you can do about this.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22804887
We made the new so-called "servers admins" group member of power users, backup operators, server operators, network configuration operators, and a couple of other built-in groups related to performance (don't remember right now their names), then fine-tunned each user right in user right assignment and the members of this new group cannot change permissions unless they manage volume/files/folders with explicitely have full control for any of these builtin groups or for  "everyone". (which was tweaked too)...

The only problem that still remains is they are able to create local users and include them in ONLY in Power Users group and Guests.... figuring out how to prevent it...

I'll let you all know my advances here... and I'll post the GPO settings report next week...

Cheers

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now