Solved

Delegate Control in Server 2008 w/out Active Directory

Posted on 2009-07-09
3
720 Views
Last Modified: 2012-05-07
I need to be able to delegate control to a user, on the Windows Server 2008 platform, to enable said group or person to manage users including permissions of Reset Passwors, Create User and, re-enable accounts.

I can only find articles pointing to AD Delegation Wizzard, old NT 4.0 stuff, or Linux items. We can not use AD in this case as it is forbidden and beyond all consideration.

PowerUsers is not going to cut it, that's going away. And "Account Operators" appears to have gone away too.. or is AD specific.

please help.
0
Comment
Question by:jjthomas3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24817118

Without a Domain Environment, you lose most of the granularity in assigning roles to particular users and configuring exactly what they can do to administer the server.

When local users and groups are concerned, the only group which is going to give the users rights to do what you describe is the 'Administrators' group. Due to the way in which the Windows security model works for local users/groups, you simply won't be able to create a custom group and delegate control, like you can in Active Directory.

An AD domain is intended for business use, so has business-like features. Local Users/Groups are intended for test/development boxes, home users or otherwise for machines which will have limited use and/or access, so don't have all the functionality which you may find you need on a large-scale production deployment.

-Matt
0
 
LVL 1

Accepted Solution

by:
jjthomas3 earned 0 total points
ID: 24819613
That's what I was afraid of...

We actually distribute Server 2008, on our own hardware, to run a R&D application platform that we developed. Our customer base always wants the ability manage a few users due to things like turn over, but due to HIPAA regulations we can not grant them Admin rights on the units.

 As a temporary solution I created a pool of users and some groups for various responsibilities and used subinacl /samobject to grant a few special users the ability to manage those users and groups. It's basically psudo delegation. They can't create any new users.. it's a comprimise..not very elegant but effective. What  I was hoping for some magic permissions that I could apply that in combination would allow for user management, but I'm not having much luck.

 Maybe someday it will be easier to market the unit with it's own little mini AD infrastructure, but for now people are reluctant to have a 3rd party Active Directory running with-in their corporate network.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24822131

It makes sense why you cannot deploy an Active Directory environment.
However, using the method you describe is probably the only effective workaround at this time to delegate control. There is no simple 'Delegation of Control' wizard in non-Active Directory environments, unfortunately.

-Matt
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question