• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

how to manage servers without manage users and groups?

Hi there... long time without asking a question... here we go:

I have a W2K domain (not native mode) with a bunch of member servers and 6 domain controllers. In this company decided to create a new role called "servers administrators" and it cannot be member either domain admins or local administrators groups.

This new role will manage all about servers (only servers, not workstations) and they should not manage in any way groups and/or users (neither local nor global).

(a) Which is the best way (less time and less impact) to give a group/user only those access rights that allow it to manage everything related to server administration (monitoring, upgrade, patch, manage folder access rights, backup/restore, take ownership, force log off, and so on) but group/user administration?

(b) Is there a way to accomplish this using the standard groups (I mean, using a "server operators"-like group in W2K) or should I create a separate group for them?

(c) Which are the access rights that should I grant to deny only user administration?

To Clarify:
- the new role "servers administrators" can do anything on any server (including domain controllers)
- they should NOT shutdown domain controllers
- they should NOT administer DNS/WINS/DHCP
- they should NOT manage GPOs
- the new role "servers administrators" cannot manage workstations
- "servers administrators" cannot manage local/domain users  and  local/domain groups
- There are NO short/mid-term plans to neither migrate to 2003/2008 (unfortunatelly) nor raise the domain functional level to native.
0
CJRODRIG
Asked:
CJRODRIG
  • 5
  • 4
1 Solution
 
CJRODRIGAuthor Commented:
maybe increasing question points will get your answers/comments...
0
 
plug1Commented:
Im afraid once you have given  a user admin rights on a domain then that user has the right to take more permissions as they see fit. So no you cant majke them admins in some respects and not in others Im afraid.
0
 
CJRODRIGAuthor Commented:
What about the "servers operators" group? They, according to MS explanation, can manage DCs without managing user/groups accounts... Can I create a group like that in W2K (honestly, I don't remember if that group already exists in W2K)... If so, Can I grant certain user rights (by GPOs) add/remove this group in some security Options (GPO too), check some "allow"s or "deny"s at Active Directory (either raw or user-friendly way) for certain objects, that allow me to accomplish this?
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
CJRODRIGAuthor Commented:
a final note: most important here is that new "servers admins" must not manage users/groups neither local nor global (at least: cannot create new users/groups and cannot edit any existing users/groups)... Don't care about other stuff...
0
 
plug1Commented:
The server operators group can only work on DC's.
0
 
plug1Commented:
Once they have the admin rights do do all of the other stuff you need them to do they will also have the right to change users and groups.
0
 
CJRODRIGAuthor Commented:
Sorry for late responses... I were away for a week without an internet connectoin available...

Well, what we are doing is placing the custom "Server admins" group into "Power Users" built-in group. We created a separate OU and moved all servers to that OU. Then created a GPO to add "Servers Admins" to "Power users" using "Restricted Groups" option. In this way, for member servers, they cannot manage groups "greater than" Power users, I mean, they cannot manage by exaple Administrators group.

The problem with this approach is they can create local users on servers, and add them to Power users group.... The membership to Power Users group is solved by the GPO because when refreshes it the setting in the policy overwrites all modifications done by a user.

So the only issue pending is how to prevent a power user to create local users??? Is there a way to restrict it using GPOs too?

Please answer this last question to grade it ASAP.

Best regards to all
0
 
plug1Commented:
Sorry mate, the problem still stands, once they have the power users right then they have them. They will be able to create local users and change permissions. Theres not much you can do about this.
0
 
CJRODRIGAuthor Commented:
We made the new so-called "servers admins" group member of power users, backup operators, server operators, network configuration operators, and a couple of other built-in groups related to performance (don't remember right now their names), then fine-tunned each user right in user right assignment and the members of this new group cannot change permissions unless they manage volume/files/folders with explicitely have full control for any of these builtin groups or for  "everyone". (which was tweaked too)...

The only problem that still remains is they are able to create local users and include them in ONLY in Power Users group and Guests.... figuring out how to prevent it...

I'll let you all know my advances here... and I'll post the GPO settings report next week...

Cheers

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now