Delegate Control in Server 2008 w/out Active Directory

I need to be able to delegate control to a user, on the Windows Server 2008 platform, to enable said group or person to manage users including permissions of Reset Passwors, Create User and, re-enable accounts.

I can only find articles pointing to AD Delegation Wizzard, old NT 4.0 stuff, or Linux items. We can not use AD in this case as it is forbidden and beyond all consideration.

PowerUsers is not going to cut it, that's going away. And "Account Operators" appears to have gone away too.. or is AD specific.

please help.
LVL 1
jjthomas3Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tigermattCommented:

Without a Domain Environment, you lose most of the granularity in assigning roles to particular users and configuring exactly what they can do to administer the server.

When local users and groups are concerned, the only group which is going to give the users rights to do what you describe is the 'Administrators' group. Due to the way in which the Windows security model works for local users/groups, you simply won't be able to create a custom group and delegate control, like you can in Active Directory.

An AD domain is intended for business use, so has business-like features. Local Users/Groups are intended for test/development boxes, home users or otherwise for machines which will have limited use and/or access, so don't have all the functionality which you may find you need on a large-scale production deployment.

-Matt
0
jjthomas3Author Commented:
That's what I was afraid of...

We actually distribute Server 2008, on our own hardware, to run a R&D application platform that we developed. Our customer base always wants the ability manage a few users due to things like turn over, but due to HIPAA regulations we can not grant them Admin rights on the units.

 As a temporary solution I created a pool of users and some groups for various responsibilities and used subinacl /samobject to grant a few special users the ability to manage those users and groups. It's basically psudo delegation. They can't create any new users.. it's a comprimise..not very elegant but effective. What  I was hoping for some magic permissions that I could apply that in combination would allow for user management, but I'm not having much luck.

 Maybe someday it will be easier to market the unit with it's own little mini AD infrastructure, but for now people are reluctant to have a 3rd party Active Directory running with-in their corporate network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tigermattCommented:

It makes sense why you cannot deploy an Active Directory environment.
However, using the method you describe is probably the only effective workaround at this time to delegate control. There is no simple 'Delegation of Control' wizard in non-Active Directory environments, unfortunately.

-Matt
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.