Solved

Delegate Control in Server 2008 w/out Active Directory

Posted on 2009-07-09
3
717 Views
Last Modified: 2012-05-07
I need to be able to delegate control to a user, on the Windows Server 2008 platform, to enable said group or person to manage users including permissions of Reset Passwors, Create User and, re-enable accounts.

I can only find articles pointing to AD Delegation Wizzard, old NT 4.0 stuff, or Linux items. We can not use AD in this case as it is forbidden and beyond all consideration.

PowerUsers is not going to cut it, that's going away. And "Account Operators" appears to have gone away too.. or is AD specific.

please help.
0
Comment
Question by:jjthomas3
  • 2
3 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24817118

Without a Domain Environment, you lose most of the granularity in assigning roles to particular users and configuring exactly what they can do to administer the server.

When local users and groups are concerned, the only group which is going to give the users rights to do what you describe is the 'Administrators' group. Due to the way in which the Windows security model works for local users/groups, you simply won't be able to create a custom group and delegate control, like you can in Active Directory.

An AD domain is intended for business use, so has business-like features. Local Users/Groups are intended for test/development boxes, home users or otherwise for machines which will have limited use and/or access, so don't have all the functionality which you may find you need on a large-scale production deployment.

-Matt
0
 
LVL 1

Accepted Solution

by:
jjthomas3 earned 0 total points
ID: 24819613
That's what I was afraid of...

We actually distribute Server 2008, on our own hardware, to run a R&D application platform that we developed. Our customer base always wants the ability manage a few users due to things like turn over, but due to HIPAA regulations we can not grant them Admin rights on the units.

 As a temporary solution I created a pool of users and some groups for various responsibilities and used subinacl /samobject to grant a few special users the ability to manage those users and groups. It's basically psudo delegation. They can't create any new users.. it's a comprimise..not very elegant but effective. What  I was hoping for some magic permissions that I could apply that in combination would allow for user management, but I'm not having much luck.

 Maybe someday it will be easier to market the unit with it's own little mini AD infrastructure, but for now people are reluctant to have a 3rd party Active Directory running with-in their corporate network.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24822131

It makes sense why you cannot deploy an Active Directory environment.
However, using the method you describe is probably the only effective workaround at this time to delegate control. There is no simple 'Delegation of Control' wizard in non-Active Directory environments, unfortunately.

-Matt
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now