Solved

W2K3 BUILT IN ACCOUNTS

Posted on 2009-07-08
7
265 Views
Last Modified: 2012-05-07
I have a new hire.  I would like to allow her the ability to remotely login to domain controllers to reset passwords and create accounts in Active Directory.  I have her in the account operator,domain users and remote desktop group.  When I attempt to login via RDP the server responds:

To log on to this remote computer, you must be granted the Allow log on through
Terminal Services right.  By degault, members of the remote desktop
users group have this right.  If you are not a member of the remote desktop users group
or another group that has this right, of if the remote desktop user group does not have this
right, you must be granted this right manually.  

I want to restrict this user so she can't install software or make any changes to the server and I don't want to relinquish the admin account.  What would be the most practical Active Directory group membership assignment?
0
Comment
Question by:collector_edi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
7 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 334 total points
ID: 24808114
There is no need to let this user logon to the domain controller.
Install adminpak.msi on her workstation, she can then use the ADUC console directly from here workstation.
You'll find adminpak.msi in the system32 folder of your DC.
How to use Adminpak.msi to install a specific server administration tool in Windows
http://support.microsoft.com/kb/314978
0
 

Author Comment

by:collector_edi
ID: 24808127
What if I want this person to rdp into the server but have minimal permissions?
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 334 total points
ID: 24808189
Create a group "DCRemoteDesktopUsers" or whatever, open the Terminal Services Configuration MMC from the Administrative Tools menu, open the properties of the RDP-tcp protocol, and assign the same permissions as the Remote Desktop Users group (the latter is a local group which can't be used in AD). Add the user account to this group, and she should be able to logon to the DC through RDP.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 3

Assisted Solution

by:jbatt
jbatt earned 166 total points
ID: 24809079
Hi

Your goals

>  to reset passwords and create accounts in Active Directory.

As oBdA states, load Admin pack on client machine and then set up delegrations in AD with permissions to achieve your goals

To start you off have a read here

http://support.microsoft.com/kb/235531
0
 
LVL 3

Expert Comment

by:jbatt
ID: 24809105
I've not read all of this, but this link appears to be better going by the screen shots

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 

Author Comment

by:collector_edi
ID: 24984499
Gentleman. Sorry about  the delay. I will pursue the suggestions early next week and report back with response.  Please don't remove question.  
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question