[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to assign limited access server login to SBS 2008

Posted on 2010-08-24
7
Medium Priority
?
726 Views
Last Modified: 2012-05-10
We have installed a small business server 2008 for a SMB that has requested the office manager be allowed "limited access" login rights to the server.

Ideally he would only be able to perform small tasks such as user creation, deletion change of email alias etc.  

The Domain Power user profile seems  to have been removed from SBS2008 and we can not find another built in group which has replaced it
0
Comment
Question by:KCITS
  • 3
  • 3
7 Comments
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 33516945
Power Users don't exist in Server 2008 at all, not just SBS.
The ability to create users is actually a *big* privilege as it means direct access to AD. There is no good easy way to grant that acces in a small AD environment without handing over the entire "keys to the castle."
You'll basically need to create a new security group, grant it privileges via security policies, and then use delegated permissoins via the AD snap-ins directly. Then make the user a member of that group.
It won't be easy, it won't be fun to maintain, and it'll be an auditing nightmare. In short, only do this if absolutely necessary. Spell out the time and cost investment and make sure that they actually want to do this.
-Cliff
 
0
 
LVL 1

Author Comment

by:KCITS
ID: 33516983
Thanks Cliff

Had a feeling that the resolution would be a messy one, I will accept your solution and delve into more deeply. We really do not want an office user to have unlimited access to a domain controller.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33517016
Hi,

The "Account Operators" group would probably do the trick, here.
Screen-shot-2010-08-24-at-7.51.1.png
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:KCITS
ID: 33517348
Hi firebar

I noticed this group and although have not tested it read about the permissions of this group at the link below, it seem as though this role may also have way too much responsibility.

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx 

On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution.

Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33527127
What would be the chance of a member of this group having the skill to do all of the tasks listed in the article? Trust, but audit.
0
 
LVL 1

Author Comment

by:KCITS
ID: 33527474
Hi Firebar

I would prefer not let them have the ability to do any accidental harm, there are many "Toys" in SBS 2008 for an inquisitive person, and I guess they could cause quite a bit of damage with this level of access. How good an audit of their movements could be done of their actions when they are logged in?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33527526
I understand and can agree, but the only alternative is to create a custom group and manage user rights through group/security policies. There is a line where one approaches, that it may become worth one's time to evaluate whether or not the target user should even have access.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question