Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

how to manage servers without manage users and groups?

Posted on 2008-10-06
9
Medium Priority
?
361 Views
Last Modified: 2013-12-05
Hi there... long time without asking a question... here we go:

I have a W2K domain (not native mode) with a bunch of member servers and 6 domain controllers. In this company decided to create a new role called "servers administrators" and it cannot be member either domain admins or local administrators groups.

This new role will manage all about servers (only servers, not workstations) and they should not manage in any way groups and/or users (neither local nor global).

(a) Which is the best way (less time and less impact) to give a group/user only those access rights that allow it to manage everything related to server administration (monitoring, upgrade, patch, manage folder access rights, backup/restore, take ownership, force log off, and so on) but group/user administration?

(b) Is there a way to accomplish this using the standard groups (I mean, using a "server operators"-like group in W2K) or should I create a separate group for them?

(c) Which are the access rights that should I grant to deny only user administration?

To Clarify:
- the new role "servers administrators" can do anything on any server (including domain controllers)
- they should NOT shutdown domain controllers
- they should NOT administer DNS/WINS/DHCP
- they should NOT manage GPOs
- the new role "servers administrators" cannot manage workstations
- "servers administrators" cannot manage local/domain users  and  local/domain groups
- There are NO short/mid-term plans to neither migrate to 2003/2008 (unfortunatelly) nor raise the domain functional level to native.
0
Comment
Question by:CJRODRIG
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22655322
maybe increasing question points will get your answers/comments...
0
 
LVL 14

Expert Comment

by:plug1
ID: 22658399
Im afraid once you have given  a user admin rights on a domain then that user has the right to take more permissions as they see fit. So no you cant majke them admins in some respects and not in others Im afraid.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22659232
What about the "servers operators" group? They, according to MS explanation, can manage DCs without managing user/groups accounts... Can I create a group like that in W2K (honestly, I don't remember if that group already exists in W2K)... If so, Can I grant certain user rights (by GPOs) add/remove this group in some security Options (GPO too), check some "allow"s or "deny"s at Active Directory (either raw or user-friendly way) for certain objects, that allow me to accomplish this?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 2

Author Comment

by:CJRODRIG
ID: 22659302
a final note: most important here is that new "servers admins" must not manage users/groups neither local nor global (at least: cannot create new users/groups and cannot edit any existing users/groups)... Don't care about other stuff...
0
 
LVL 14

Expert Comment

by:plug1
ID: 22659774
The server operators group can only work on DC's.
0
 
LVL 14

Expert Comment

by:plug1
ID: 22659784
Once they have the admin rights do do all of the other stuff you need them to do they will also have the right to change users and groups.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22740213
Sorry for late responses... I were away for a week without an internet connectoin available...

Well, what we are doing is placing the custom "Server admins" group into "Power Users" built-in group. We created a separate OU and moved all servers to that OU. Then created a GPO to add "Servers Admins" to "Power users" using "Restricted Groups" option. In this way, for member servers, they cannot manage groups "greater than" Power users, I mean, they cannot manage by exaple Administrators group.

The problem with this approach is they can create local users on servers, and add them to Power users group.... The membership to Power Users group is solved by the GPO because when refreshes it the setting in the policy overwrites all modifications done by a user.

So the only issue pending is how to prevent a power user to create local users??? Is there a way to restrict it using GPOs too?

Please answer this last question to grade it ASAP.

Best regards to all
0
 
LVL 14

Accepted Solution

by:
plug1 earned 2000 total points
ID: 22740361
Sorry mate, the problem still stands, once they have the power users right then they have them. They will be able to create local users and change permissions. Theres not much you can do about this.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22804887
We made the new so-called "servers admins" group member of power users, backup operators, server operators, network configuration operators, and a couple of other built-in groups related to performance (don't remember right now their names), then fine-tunned each user right in user right assignment and the members of this new group cannot change permissions unless they manage volume/files/folders with explicitely have full control for any of these builtin groups or for  "everyone". (which was tweaked too)...

The only problem that still remains is they are able to create local users and include them in ONLY in Power Users group and Guests.... figuring out how to prevent it...

I'll let you all know my advances here... and I'll post the GPO settings report next week...

Cheers

0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Know what services you can and cannot, should and should not combine on your server.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question