Solved

W2K3 BUILT IN ACCOUNTS

Posted on 2009-07-08
7
261 Views
Last Modified: 2012-05-07
I have a new hire.  I would like to allow her the ability to remotely login to domain controllers to reset passwords and create accounts in Active Directory.  I have her in the account operator,domain users and remote desktop group.  When I attempt to login via RDP the server responds:

To log on to this remote computer, you must be granted the Allow log on through
Terminal Services right.  By degault, members of the remote desktop
users group have this right.  If you are not a member of the remote desktop users group
or another group that has this right, of if the remote desktop user group does not have this
right, you must be granted this right manually.  

I want to restrict this user so she can't install software or make any changes to the server and I don't want to relinquish the admin account.  What would be the most practical Active Directory group membership assignment?
0
Comment
Question by:collector_edi
  • 2
  • 2
  • 2
7 Comments
 
LVL 82

Accepted Solution

by:
oBdA earned 334 total points
ID: 24808114
There is no need to let this user logon to the domain controller.
Install adminpak.msi on her workstation, she can then use the ADUC console directly from here workstation.
You'll find adminpak.msi in the system32 folder of your DC.
How to use Adminpak.msi to install a specific server administration tool in Windows
http://support.microsoft.com/kb/314978
0
 

Author Comment

by:collector_edi
ID: 24808127
What if I want this person to rdp into the server but have minimal permissions?
0
 
LVL 82

Assisted Solution

by:oBdA
oBdA earned 334 total points
ID: 24808189
Create a group "DCRemoteDesktopUsers" or whatever, open the Terminal Services Configuration MMC from the Administrative Tools menu, open the properties of the RDP-tcp protocol, and assign the same permissions as the Remote Desktop Users group (the latter is a local group which can't be used in AD). Add the user account to this group, and she should be able to logon to the DC through RDP.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 3

Assisted Solution

by:jbatt
jbatt earned 166 total points
ID: 24809079
Hi

Your goals

>  to reset passwords and create accounts in Active Directory.

As oBdA states, load Admin pack on client machine and then set up delegrations in AD with permissions to achieve your goals

To start you off have a read here

http://support.microsoft.com/kb/235531
0
 
LVL 3

Expert Comment

by:jbatt
ID: 24809105
I've not read all of this, but this link appears to be better going by the screen shots

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 

Author Comment

by:collector_edi
ID: 24984499
Gentleman. Sorry about  the delay. I will pursue the suggestions early next week and report back with response.  Please don't remove question.  
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now