[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

W2K3 BUILT IN ACCOUNTS

Posted on 2009-07-08
7
Medium Priority
?
271 Views
Last Modified: 2012-05-07
I have a new hire.  I would like to allow her the ability to remotely login to domain controllers to reset passwords and create accounts in Active Directory.  I have her in the account operator,domain users and remote desktop group.  When I attempt to login via RDP the server responds:

To log on to this remote computer, you must be granted the Allow log on through
Terminal Services right.  By degault, members of the remote desktop
users group have this right.  If you are not a member of the remote desktop users group
or another group that has this right, of if the remote desktop user group does not have this
right, you must be granted this right manually.  

I want to restrict this user so she can't install software or make any changes to the server and I don't want to relinquish the admin account.  What would be the most practical Active Directory group membership assignment?
0
Comment
Question by:collector_edi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
7 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 1336 total points
ID: 24808114
There is no need to let this user logon to the domain controller.
Install adminpak.msi on her workstation, she can then use the ADUC console directly from here workstation.
You'll find adminpak.msi in the system32 folder of your DC.
How to use Adminpak.msi to install a specific server administration tool in Windows
http://support.microsoft.com/kb/314978
0
 

Author Comment

by:collector_edi
ID: 24808127
What if I want this person to rdp into the server but have minimal permissions?
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 1336 total points
ID: 24808189
Create a group "DCRemoteDesktopUsers" or whatever, open the Terminal Services Configuration MMC from the Administrative Tools menu, open the properties of the RDP-tcp protocol, and assign the same permissions as the Remote Desktop Users group (the latter is a local group which can't be used in AD). Add the user account to this group, and she should be able to logon to the DC through RDP.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 3

Assisted Solution

by:jbatt
jbatt earned 664 total points
ID: 24809079
Hi

Your goals

>  to reset passwords and create accounts in Active Directory.

As oBdA states, load Admin pack on client machine and then set up delegrations in AD with permissions to achieve your goals

To start you off have a read here

http://support.microsoft.com/kb/235531
0
 
LVL 3

Expert Comment

by:jbatt
ID: 24809105
I've not read all of this, but this link appears to be better going by the screen shots

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 

Author Comment

by:collector_edi
ID: 24984499
Gentleman. Sorry about  the delay. I will pursue the suggestions early next week and report back with response.  Please don't remove question.  
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question