Hi there... long time without asking a question... here we go:
I have a W2K domain (not native mode) with a bunch of member servers and 6 domain controllers. In this company decided to create a new role called "servers administrators" and it cannot be member either domain admins or local administrators groups.
This new role will manage all about servers (only servers, not workstations) and they should not manage in any way groups and/or users (neither local nor global).
(a) Which is the best way (less time and less impact) to give a group/user only those access rights that allow it to manage everything related to server administration (monitoring, upgrade, patch, manage folder access rights, backup/restore, take ownership, force log off, and so on) but group/user administration?
(b) Is there a way to accomplish this using the standard groups (I mean, using a "server operators"-like group in W2K) or should I create a separate group for them?
(c) Which are the access rights that should I grant to deny only user administration?
- the new role "servers administrators" can do anything on any server (including domain controllers)
- they should NOT shutdown domain controllers
- they should NOT administer DNS/WINS/DHCP
- they should NOT manage GPOs
- the new role "servers administrators" cannot manage workstations
- "servers administrators" cannot manage local/domain users and local/domain groups
- There are NO short/mid-term plans to neither migrate to 2003/2008 (unfortunatelly) nor raise the domain functional level to native.