benjilafouine
asked on
Granting local access do a specific Windows 2008 domain controller
Hi,
I don't know if anyone tried this Windows 2008 R2 but I am trying to see if I could grant access to log on locally for one specific user (non admin) on a specific Windows 2008 R2 controller to act as a sort of "server operator".
I mainly want this user to be able to reboot the server if there is some problem with it and also copy a few files between folders as well as checking if the backup performed well.
However, this user should not have access to see the directory tree (because I do not want him to view other usernames from other business units in the same AD domain.
I was thinking about trying for a start to grant him a local "allow to log on locally" right directly on the DC in question but even with the domain administrator account, this setting is grayed out.
Any clue on how I could achieve that? I absolutely can't grant this user administrators rights.
Thanks.
Benji
I don't know if anyone tried this Windows 2008 R2 but I am trying to see if I could grant access to log on locally for one specific user (non admin) on a specific Windows 2008 R2 controller to act as a sort of "server operator".
I mainly want this user to be able to reboot the server if there is some problem with it and also copy a few files between folders as well as checking if the backup performed well.
However, this user should not have access to see the directory tree (because I do not want him to view other usernames from other business units in the same AD domain.
I was thinking about trying for a start to grant him a local "allow to log on locally" right directly on the DC in question but even with the domain administrator account, this setting is grayed out.
Any clue on how I could achieve that? I absolutely can't grant this user administrators rights.
Thanks.
Benji
ASKER
That's my feeling too but I am hoping some answer will show up. My other option is to leave the server as a Domain Member but since it is at the other end of a VPN, there could be performance issues.
That is the conundrum of remote administration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I should have been more specific when I said you can't grand log on locally rights... I meant in a usable way. My apologies.
That is true you don't have the ability to customize a DÇ local logon like you would be able to with a member server.
Also, by giving access to a DC you are giving certain abilities and accesses to the DC that you don't want non-Domain admins to have. Even though they can't access AD Users and Computers they still have access to the DB and other services that can access AD to corrupt.
Also, by giving access to a DC you are giving certain abilities and accesses to the DC that you don't want non-Domain admins to have. Even though they can't access AD Users and Computers they still have access to the DB and other services that can access AD to corrupt.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all the answers.
First, I believe that it would be easier if the server was not a DC. Since it will serve only 5 users (only one power user), I may take the chance to set the server as a member server only. I have done that for another client (3 users) and the site-to-site VPN tunnel between the two locations seems to be fast and solid enough to handle kerberos and DNS operations. That way, letting the user logon to the server would become more easier (like being a local admin user only as in PCs).
If I run into some latency with the requests, I will promote the server to a DC and then I will follow recommendations from Americom and Mike and make sure this only gives the user the rights I want him to have.
Note: I have started "hosting" very small companies directly in my own Windows domain for data replication purposes, web site hosting and also providing Exchange email addresses (my server manages seveval Internet domains) so they don't even have a network admin onsite (I am the part time admin). However, I like to have someone at the client who can at least reboot the server if I am unavailable but there is some stuff they should not be allowed to see (hiding an OU with a delegation is also a good suggestion).
Benji
First, I believe that it would be easier if the server was not a DC. Since it will serve only 5 users (only one power user), I may take the chance to set the server as a member server only. I have done that for another client (3 users) and the site-to-site VPN tunnel between the two locations seems to be fast and solid enough to handle kerberos and DNS operations. That way, letting the user logon to the server would become more easier (like being a local admin user only as in PCs).
If I run into some latency with the requests, I will promote the server to a DC and then I will follow recommendations from Americom and Mike and make sure this only gives the user the rights I want him to have.
Note: I have started "hosting" very small companies directly in my own Windows domain for data replication purposes, web site hosting and also providing Exchange email addresses (my server manages seveval Internet domains) so they don't even have a network admin onsite (I am the part time admin). However, I like to have someone at the client who can at least reboot the server if I am unavailable but there is some stuff they should not be allowed to see (hiding an OU with a delegation is also a good suggestion).
Benji
ASKER
I will still have some testing to do but I assume it will work.
I am fairly certain that you cannot accomplish your goals as you set them forth in this Question.
Justin