Solved

Delegate Control in Server 2008 w/out Active Directory

Posted on 2009-07-09
3
719 Views
Last Modified: 2012-05-07
I need to be able to delegate control to a user, on the Windows Server 2008 platform, to enable said group or person to manage users including permissions of Reset Passwors, Create User and, re-enable accounts.

I can only find articles pointing to AD Delegation Wizzard, old NT 4.0 stuff, or Linux items. We can not use AD in this case as it is forbidden and beyond all consideration.

PowerUsers is not going to cut it, that's going away. And "Account Operators" appears to have gone away too.. or is AD specific.

please help.
0
Comment
Question by:jjthomas3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24817118

Without a Domain Environment, you lose most of the granularity in assigning roles to particular users and configuring exactly what they can do to administer the server.

When local users and groups are concerned, the only group which is going to give the users rights to do what you describe is the 'Administrators' group. Due to the way in which the Windows security model works for local users/groups, you simply won't be able to create a custom group and delegate control, like you can in Active Directory.

An AD domain is intended for business use, so has business-like features. Local Users/Groups are intended for test/development boxes, home users or otherwise for machines which will have limited use and/or access, so don't have all the functionality which you may find you need on a large-scale production deployment.

-Matt
0
 
LVL 1

Accepted Solution

by:
jjthomas3 earned 0 total points
ID: 24819613
That's what I was afraid of...

We actually distribute Server 2008, on our own hardware, to run a R&D application platform that we developed. Our customer base always wants the ability manage a few users due to things like turn over, but due to HIPAA regulations we can not grant them Admin rights on the units.

 As a temporary solution I created a pool of users and some groups for various responsibilities and used subinacl /samobject to grant a few special users the ability to manage those users and groups. It's basically psudo delegation. They can't create any new users.. it's a comprimise..not very elegant but effective. What  I was hoping for some magic permissions that I could apply that in combination would allow for user management, but I'm not having much luck.

 Maybe someday it will be easier to market the unit with it's own little mini AD infrastructure, but for now people are reluctant to have a 3rd party Active Directory running with-in their corporate network.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24822131

It makes sense why you cannot deploy an Active Directory environment.
However, using the method you describe is probably the only effective workaround at this time to delegate control. There is no simple 'Delegation of Control' wizard in non-Active Directory environments, unfortunately.

-Matt
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
OfficeMate Freezes on login or does not load after login credentials are input.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question