Solved

Delegate Control in Server 2008 w/out Active Directory

Posted on 2009-07-09
3
716 Views
Last Modified: 2012-05-07
I need to be able to delegate control to a user, on the Windows Server 2008 platform, to enable said group or person to manage users including permissions of Reset Passwors, Create User and, re-enable accounts.

I can only find articles pointing to AD Delegation Wizzard, old NT 4.0 stuff, or Linux items. We can not use AD in this case as it is forbidden and beyond all consideration.

PowerUsers is not going to cut it, that's going away. And "Account Operators" appears to have gone away too.. or is AD specific.

please help.
0
Comment
Question by:jjthomas3
  • 2
3 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24817118

Without a Domain Environment, you lose most of the granularity in assigning roles to particular users and configuring exactly what they can do to administer the server.

When local users and groups are concerned, the only group which is going to give the users rights to do what you describe is the 'Administrators' group. Due to the way in which the Windows security model works for local users/groups, you simply won't be able to create a custom group and delegate control, like you can in Active Directory.

An AD domain is intended for business use, so has business-like features. Local Users/Groups are intended for test/development boxes, home users or otherwise for machines which will have limited use and/or access, so don't have all the functionality which you may find you need on a large-scale production deployment.

-Matt
0
 
LVL 1

Accepted Solution

by:
jjthomas3 earned 0 total points
ID: 24819613
That's what I was afraid of...

We actually distribute Server 2008, on our own hardware, to run a R&D application platform that we developed. Our customer base always wants the ability manage a few users due to things like turn over, but due to HIPAA regulations we can not grant them Admin rights on the units.

 As a temporary solution I created a pool of users and some groups for various responsibilities and used subinacl /samobject to grant a few special users the ability to manage those users and groups. It's basically psudo delegation. They can't create any new users.. it's a comprimise..not very elegant but effective. What  I was hoping for some magic permissions that I could apply that in combination would allow for user management, but I'm not having much luck.

 Maybe someday it will be easier to market the unit with it's own little mini AD infrastructure, but for now people are reluctant to have a 3rd party Active Directory running with-in their corporate network.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24822131

It makes sense why you cannot deploy an Active Directory environment.
However, using the method you describe is probably the only effective workaround at this time to delegate control. There is no simple 'Delegation of Control' wizard in non-Active Directory environments, unfortunately.

-Matt
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now