?
Solved

How to assign limited access server login to SBS 2008

Posted on 2010-08-24
7
Medium Priority
?
721 Views
Last Modified: 2012-05-10
We have installed a small business server 2008 for a SMB that has requested the office manager be allowed "limited access" login rights to the server.

Ideally he would only be able to perform small tasks such as user creation, deletion change of email alias etc.  

The Domain Power user profile seems  to have been removed from SBS2008 and we can not find another built in group which has replaced it
0
Comment
Question by:KCITS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 33516945
Power Users don't exist in Server 2008 at all, not just SBS.
The ability to create users is actually a *big* privilege as it means direct access to AD. There is no good easy way to grant that acces in a small AD environment without handing over the entire "keys to the castle."
You'll basically need to create a new security group, grant it privileges via security policies, and then use delegated permissoins via the AD snap-ins directly. Then make the user a member of that group.
It won't be easy, it won't be fun to maintain, and it'll be an auditing nightmare. In short, only do this if absolutely necessary. Spell out the time and cost investment and make sure that they actually want to do this.
-Cliff
 
0
 
LVL 1

Author Comment

by:KCITS
ID: 33516983
Thanks Cliff

Had a feeling that the resolution would be a messy one, I will accept your solution and delve into more deeply. We really do not want an office user to have unlimited access to a domain controller.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33517016
Hi,

The "Account Operators" group would probably do the trick, here.
Screen-shot-2010-08-24-at-7.51.1.png
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Author Comment

by:KCITS
ID: 33517348
Hi firebar

I noticed this group and although have not tested it read about the permissions of this group at the link below, it seem as though this role may also have way too much responsibility.

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx 

On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution.

Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33527127
What would be the chance of a member of this group having the skill to do all of the tasks listed in the article? Trust, but audit.
0
 
LVL 1

Author Comment

by:KCITS
ID: 33527474
Hi Firebar

I would prefer not let them have the ability to do any accidental harm, there are many "Toys" in SBS 2008 for an inquisitive person, and I guess they could cause quite a bit of damage with this level of access. How good an audit of their movements could be done of their actions when they are logged in?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33527526
I understand and can agree, but the only alternative is to create a custom group and manage user rights through group/security policies. There is a line where one approaches, that it may become worth one's time to evaluate whether or not the target user should even have access.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question