Improve company productivity with a Business Account.Sign Up

x
?
Solved

How to assign limited access server login to SBS 2008

Posted on 2010-08-24
7
Medium Priority
?
730 Views
Last Modified: 2012-05-10
We have installed a small business server 2008 for a SMB that has requested the office manager be allowed "limited access" login rights to the server.

Ideally he would only be able to perform small tasks such as user creation, deletion change of email alias etc.  

The Domain Power user profile seems  to have been removed from SBS2008 and we can not find another built in group which has replaced it
0
Comment
Question by:KCITS
  • 3
  • 3
7 Comments
 
LVL 61

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 33516945
Power Users don't exist in Server 2008 at all, not just SBS.
The ability to create users is actually a *big* privilege as it means direct access to AD. There is no good easy way to grant that acces in a small AD environment without handing over the entire "keys to the castle."
You'll basically need to create a new security group, grant it privileges via security policies, and then use delegated permissoins via the AD snap-ins directly. Then make the user a member of that group.
It won't be easy, it won't be fun to maintain, and it'll be an auditing nightmare. In short, only do this if absolutely necessary. Spell out the time and cost investment and make sure that they actually want to do this.
-Cliff
 
0
 
LVL 1

Author Comment

by:KCITS
ID: 33516983
Thanks Cliff

Had a feeling that the resolution would be a messy one, I will accept your solution and delve into more deeply. We really do not want an office user to have unlimited access to a domain controller.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33517016
Hi,

The "Account Operators" group would probably do the trick, here.
Screen-shot-2010-08-24-at-7.51.1.png
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 1

Author Comment

by:KCITS
ID: 33517348
Hi firebar

I noticed this group and although have not tested it read about the permissions of this group at the link below, it seem as though this role may also have way too much responsibility.

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx 

On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution.

Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33527127
What would be the chance of a member of this group having the skill to do all of the tasks listed in the article? Trust, but audit.
0
 
LVL 1

Author Comment

by:KCITS
ID: 33527474
Hi Firebar

I would prefer not let them have the ability to do any accidental harm, there are many "Toys" in SBS 2008 for an inquisitive person, and I guess they could cause quite a bit of damage with this level of access. How good an audit of their movements could be done of their actions when they are logged in?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33527526
I understand and can agree, but the only alternative is to create a custom group and manage user rights through group/security policies. There is a line where one approaches, that it may become worth one's time to evaluate whether or not the target user should even have access.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
There’s hardly a doubt that Business Communication is indispensable for both enterprises and small businesses, and if there is an email system outage owing to Exchange server failure, it definitely results in loss of productivity.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question