?
Solved

W2K3 BUILT IN ACCOUNTS

Posted on 2009-07-08
7
Medium Priority
?
269 Views
Last Modified: 2012-05-07
I have a new hire.  I would like to allow her the ability to remotely login to domain controllers to reset passwords and create accounts in Active Directory.  I have her in the account operator,domain users and remote desktop group.  When I attempt to login via RDP the server responds:

To log on to this remote computer, you must be granted the Allow log on through
Terminal Services right.  By degault, members of the remote desktop
users group have this right.  If you are not a member of the remote desktop users group
or another group that has this right, of if the remote desktop user group does not have this
right, you must be granted this right manually.  

I want to restrict this user so she can't install software or make any changes to the server and I don't want to relinquish the admin account.  What would be the most practical Active Directory group membership assignment?
0
Comment
Question by:collector_edi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
7 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 1336 total points
ID: 24808114
There is no need to let this user logon to the domain controller.
Install adminpak.msi on her workstation, she can then use the ADUC console directly from here workstation.
You'll find adminpak.msi in the system32 folder of your DC.
How to use Adminpak.msi to install a specific server administration tool in Windows
http://support.microsoft.com/kb/314978
0
 

Author Comment

by:collector_edi
ID: 24808127
What if I want this person to rdp into the server but have minimal permissions?
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 1336 total points
ID: 24808189
Create a group "DCRemoteDesktopUsers" or whatever, open the Terminal Services Configuration MMC from the Administrative Tools menu, open the properties of the RDP-tcp protocol, and assign the same permissions as the Remote Desktop Users group (the latter is a local group which can't be used in AD). Add the user account to this group, and she should be able to logon to the DC through RDP.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 3

Assisted Solution

by:jbatt
jbatt earned 664 total points
ID: 24809079
Hi

Your goals

>  to reset passwords and create accounts in Active Directory.

As oBdA states, load Admin pack on client machine and then set up delegrations in AD with permissions to achieve your goals

To start you off have a read here

http://support.microsoft.com/kb/235531
0
 
LVL 3

Expert Comment

by:jbatt
ID: 24809105
I've not read all of this, but this link appears to be better going by the screen shots

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 

Author Comment

by:collector_edi
ID: 24984499
Gentleman. Sorry about  the delay. I will pursue the suggestions early next week and report back with response.  Please don't remove question.  
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question