Solved

How to assign limited access server login to SBS 2008

Posted on 2010-08-24
7
712 Views
Last Modified: 2012-05-10
We have installed a small business server 2008 for a SMB that has requested the office manager be allowed "limited access" login rights to the server.

Ideally he would only be able to perform small tasks such as user creation, deletion change of email alias etc.  

The Domain Power user profile seems  to have been removed from SBS2008 and we can not find another built in group which has replaced it
0
Comment
Question by:KCITS
  • 3
  • 3
7 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
Comment Utility
Power Users don't exist in Server 2008 at all, not just SBS.
The ability to create users is actually a *big* privilege as it means direct access to AD. There is no good easy way to grant that acces in a small AD environment without handing over the entire "keys to the castle."
You'll basically need to create a new security group, grant it privileges via security policies, and then use delegated permissoins via the AD snap-ins directly. Then make the user a member of that group.
It won't be easy, it won't be fun to maintain, and it'll be an auditing nightmare. In short, only do this if absolutely necessary. Spell out the time and cost investment and make sure that they actually want to do this.
-Cliff
 
0
 
LVL 1

Author Comment

by:KCITS
Comment Utility
Thanks Cliff

Had a feeling that the resolution would be a messy one, I will accept your solution and delve into more deeply. We really do not want an office user to have unlimited access to a domain controller.
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
Hi,

The "Account Operators" group would probably do the trick, here.
Screen-shot-2010-08-24-at-7.51.1.png
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:KCITS
Comment Utility
Hi firebar

I noticed this group and although have not tested it read about the permissions of this group at the link below, it seem as though this role may also have way too much responsibility.

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution.

Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system.
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
What would be the chance of a member of this group having the skill to do all of the tasks listed in the article? Trust, but audit.
0
 
LVL 1

Author Comment

by:KCITS
Comment Utility
Hi Firebar

I would prefer not let them have the ability to do any accidental harm, there are many "Toys" in SBS 2008 for an inquisitive person, and I guess they could cause quite a bit of damage with this level of access. How good an audit of their movements could be done of their actions when they are logged in?
0
 
LVL 27

Expert Comment

by:Jason Watkins
Comment Utility
I understand and can agree, but the only alternative is to create a custom group and manage user rights through group/security policies. There is a line where one approaches, that it may become worth one's time to evaluate whether or not the target user should even have access.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now