Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

how to manage servers without manage users and groups?

Posted on 2008-10-06
9
Medium Priority
?
363 Views
Last Modified: 2013-12-05
Hi there... long time without asking a question... here we go:

I have a W2K domain (not native mode) with a bunch of member servers and 6 domain controllers. In this company decided to create a new role called "servers administrators" and it cannot be member either domain admins or local administrators groups.

This new role will manage all about servers (only servers, not workstations) and they should not manage in any way groups and/or users (neither local nor global).

(a) Which is the best way (less time and less impact) to give a group/user only those access rights that allow it to manage everything related to server administration (monitoring, upgrade, patch, manage folder access rights, backup/restore, take ownership, force log off, and so on) but group/user administration?

(b) Is there a way to accomplish this using the standard groups (I mean, using a "server operators"-like group in W2K) or should I create a separate group for them?

(c) Which are the access rights that should I grant to deny only user administration?

To Clarify:
- the new role "servers administrators" can do anything on any server (including domain controllers)
- they should NOT shutdown domain controllers
- they should NOT administer DNS/WINS/DHCP
- they should NOT manage GPOs
- the new role "servers administrators" cannot manage workstations
- "servers administrators" cannot manage local/domain users  and  local/domain groups
- There are NO short/mid-term plans to neither migrate to 2003/2008 (unfortunatelly) nor raise the domain functional level to native.
0
Comment
Question by:CJRODRIG
  • 5
  • 4
9 Comments
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22655322
maybe increasing question points will get your answers/comments...
0
 
LVL 14

Expert Comment

by:plug1
ID: 22658399
Im afraid once you have given  a user admin rights on a domain then that user has the right to take more permissions as they see fit. So no you cant majke them admins in some respects and not in others Im afraid.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22659232
What about the "servers operators" group? They, according to MS explanation, can manage DCs without managing user/groups accounts... Can I create a group like that in W2K (honestly, I don't remember if that group already exists in W2K)... If so, Can I grant certain user rights (by GPOs) add/remove this group in some security Options (GPO too), check some "allow"s or "deny"s at Active Directory (either raw or user-friendly way) for certain objects, that allow me to accomplish this?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Author Comment

by:CJRODRIG
ID: 22659302
a final note: most important here is that new "servers admins" must not manage users/groups neither local nor global (at least: cannot create new users/groups and cannot edit any existing users/groups)... Don't care about other stuff...
0
 
LVL 14

Expert Comment

by:plug1
ID: 22659774
The server operators group can only work on DC's.
0
 
LVL 14

Expert Comment

by:plug1
ID: 22659784
Once they have the admin rights do do all of the other stuff you need them to do they will also have the right to change users and groups.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22740213
Sorry for late responses... I were away for a week without an internet connectoin available...

Well, what we are doing is placing the custom "Server admins" group into "Power Users" built-in group. We created a separate OU and moved all servers to that OU. Then created a GPO to add "Servers Admins" to "Power users" using "Restricted Groups" option. In this way, for member servers, they cannot manage groups "greater than" Power users, I mean, they cannot manage by exaple Administrators group.

The problem with this approach is they can create local users on servers, and add them to Power users group.... The membership to Power Users group is solved by the GPO because when refreshes it the setting in the policy overwrites all modifications done by a user.

So the only issue pending is how to prevent a power user to create local users??? Is there a way to restrict it using GPOs too?

Please answer this last question to grade it ASAP.

Best regards to all
0
 
LVL 14

Accepted Solution

by:
plug1 earned 2000 total points
ID: 22740361
Sorry mate, the problem still stands, once they have the power users right then they have them. They will be able to create local users and change permissions. Theres not much you can do about this.
0
 
LVL 2

Author Comment

by:CJRODRIG
ID: 22804887
We made the new so-called "servers admins" group member of power users, backup operators, server operators, network configuration operators, and a couple of other built-in groups related to performance (don't remember right now their names), then fine-tunned each user right in user right assignment and the members of this new group cannot change permissions unless they manage volume/files/folders with explicitely have full control for any of these builtin groups or for  "everyone". (which was tweaked too)...

The only problem that still remains is they are able to create local users and include them in ONLY in Power Users group and Guests.... figuring out how to prevent it...

I'll let you all know my advances here... and I'll post the GPO settings report next week...

Cheers

0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question