Solved

W2K3 BUILT IN ACCOUNTS

Posted on 2009-07-08
7
264 Views
Last Modified: 2012-05-07
I have a new hire.  I would like to allow her the ability to remotely login to domain controllers to reset passwords and create accounts in Active Directory.  I have her in the account operator,domain users and remote desktop group.  When I attempt to login via RDP the server responds:

To log on to this remote computer, you must be granted the Allow log on through
Terminal Services right.  By degault, members of the remote desktop
users group have this right.  If you are not a member of the remote desktop users group
or another group that has this right, of if the remote desktop user group does not have this
right, you must be granted this right manually.  

I want to restrict this user so she can't install software or make any changes to the server and I don't want to relinquish the admin account.  What would be the most practical Active Directory group membership assignment?
0
Comment
Question by:collector_edi
  • 2
  • 2
  • 2
7 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 334 total points
ID: 24808114
There is no need to let this user logon to the domain controller.
Install adminpak.msi on her workstation, she can then use the ADUC console directly from here workstation.
You'll find adminpak.msi in the system32 folder of your DC.
How to use Adminpak.msi to install a specific server administration tool in Windows
http://support.microsoft.com/kb/314978
0
 

Author Comment

by:collector_edi
ID: 24808127
What if I want this person to rdp into the server but have minimal permissions?
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 334 total points
ID: 24808189
Create a group "DCRemoteDesktopUsers" or whatever, open the Terminal Services Configuration MMC from the Administrative Tools menu, open the properties of the RDP-tcp protocol, and assign the same permissions as the Remote Desktop Users group (the latter is a local group which can't be used in AD). Add the user account to this group, and she should be able to logon to the DC through RDP.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Assisted Solution

by:jbatt
jbatt earned 166 total points
ID: 24809079
Hi

Your goals

>  to reset passwords and create accounts in Active Directory.

As oBdA states, load Admin pack on client machine and then set up delegrations in AD with permissions to achieve your goals

To start you off have a read here

http://support.microsoft.com/kb/235531
0
 
LVL 3

Expert Comment

by:jbatt
ID: 24809105
I've not read all of this, but this link appears to be better going by the screen shots

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 

Author Comment

by:collector_edi
ID: 24984499
Gentleman. Sorry about  the delay. I will pursue the suggestions early next week and report back with response.  Please don't remove question.  
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question