Solved

how to manage servers without manage users and groups?

Posted on 2008-10-06
9
354 Views
Last Modified: 2013-12-05
Hi there... long time without asking a question... here we go:

I have a W2K domain (not native mode) with a bunch of member servers and 6 domain controllers. In this company decided to create a new role called "servers administrators" and it cannot be member either domain admins or local administrators groups.

This new role will manage all about servers (only servers, not workstations) and they should not manage in any way groups and/or users (neither local nor global).

(a) Which is the best way (less time and less impact) to give a group/user only those access rights that allow it to manage everything related to server administration (monitoring, upgrade, patch, manage folder access rights, backup/restore, take ownership, force log off, and so on) but group/user administration?

(b) Is there a way to accomplish this using the standard groups (I mean, using a "server operators"-like group in W2K) or should I create a separate group for them?

(c) Which are the access rights that should I grant to deny only user administration?

To Clarify:
- the new role "servers administrators" can do anything on any server (including domain controllers)
- they should NOT shutdown domain controllers
- they should NOT administer DNS/WINS/DHCP
- they should NOT manage GPOs
- the new role "servers administrators" cannot manage workstations
- "servers administrators" cannot manage local/domain users  and  local/domain groups
- There are NO short/mid-term plans to neither migrate to 2003/2008 (unfortunatelly) nor raise the domain functional level to native.
0
Comment
Question by:CJRODRIG
  • 5
  • 4
9 Comments
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22655322
maybe increasing question points will get your answers/comments...
0
 
LVL 14

Expert Comment

by:plug1
ID: 22658399
Im afraid once you have given  a user admin rights on a domain then that user has the right to take more permissions as they see fit. So no you cant majke them admins in some respects and not in others Im afraid.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22659232
What about the "servers operators" group? They, according to MS explanation, can manage DCs without managing user/groups accounts... Can I create a group like that in W2K (honestly, I don't remember if that group already exists in W2K)... If so, Can I grant certain user rights (by GPOs) add/remove this group in some security Options (GPO too), check some "allow"s or "deny"s at Active Directory (either raw or user-friendly way) for certain objects, that allow me to accomplish this?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:CJRODRIG
ID: 22659302
a final note: most important here is that new "servers admins" must not manage users/groups neither local nor global (at least: cannot create new users/groups and cannot edit any existing users/groups)... Don't care about other stuff...
0
 
LVL 14

Expert Comment

by:plug1
ID: 22659774
The server operators group can only work on DC's.
0
 
LVL 14

Expert Comment

by:plug1
ID: 22659784
Once they have the admin rights do do all of the other stuff you need them to do they will also have the right to change users and groups.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22740213
Sorry for late responses... I were away for a week without an internet connectoin available...

Well, what we are doing is placing the custom "Server admins" group into "Power Users" built-in group. We created a separate OU and moved all servers to that OU. Then created a GPO to add "Servers Admins" to "Power users" using "Restricted Groups" option. In this way, for member servers, they cannot manage groups "greater than" Power users, I mean, they cannot manage by exaple Administrators group.

The problem with this approach is they can create local users on servers, and add them to Power users group.... The membership to Power Users group is solved by the GPO because when refreshes it the setting in the policy overwrites all modifications done by a user.

So the only issue pending is how to prevent a power user to create local users??? Is there a way to restrict it using GPOs too?

Please answer this last question to grade it ASAP.

Best regards to all
0
 
LVL 14

Accepted Solution

by:
plug1 earned 500 total points
ID: 22740361
Sorry mate, the problem still stands, once they have the power users right then they have them. They will be able to create local users and change permissions. Theres not much you can do about this.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22804887
We made the new so-called "servers admins" group member of power users, backup operators, server operators, network configuration operators, and a couple of other built-in groups related to performance (don't remember right now their names), then fine-tunned each user right in user right assignment and the members of this new group cannot change permissions unless they manage volume/files/folders with explicitely have full control for any of these builtin groups or for  "everyone". (which was tweaked too)...

The only problem that still remains is they are able to create local users and include them in ONLY in Power Users group and Guests.... figuring out how to prevent it...

I'll let you all know my advances here... and I'll post the GPO settings report next week...

Cheers

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
server is not seen in network 12 80
User profile Size Report 3 84
need help with active directory 4 58
Delete Disconnected Site from Active Directory 3 24
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Learn about cloud computing and its benefits for small business owners.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question