Solved

How to assign limited access server login to SBS 2008

Posted on 2010-08-24
7
714 Views
Last Modified: 2012-05-10
We have installed a small business server 2008 for a SMB that has requested the office manager be allowed "limited access" login rights to the server.

Ideally he would only be able to perform small tasks such as user creation, deletion change of email alias etc.  

The Domain Power user profile seems  to have been removed from SBS2008 and we can not find another built in group which has replaced it
0
Comment
Question by:KCITS
  • 3
  • 3
7 Comments
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 33516945
Power Users don't exist in Server 2008 at all, not just SBS.
The ability to create users is actually a *big* privilege as it means direct access to AD. There is no good easy way to grant that acces in a small AD environment without handing over the entire "keys to the castle."
You'll basically need to create a new security group, grant it privileges via security policies, and then use delegated permissoins via the AD snap-ins directly. Then make the user a member of that group.
It won't be easy, it won't be fun to maintain, and it'll be an auditing nightmare. In short, only do this if absolutely necessary. Spell out the time and cost investment and make sure that they actually want to do this.
-Cliff
 
0
 
LVL 1

Author Comment

by:KCITS
ID: 33516983
Thanks Cliff

Had a feeling that the resolution would be a messy one, I will accept your solution and delve into more deeply. We really do not want an office user to have unlimited access to a domain controller.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33517016
Hi,

The "Account Operators" group would probably do the trick, here.
Screen-shot-2010-08-24-at-7.51.1.png
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:KCITS
ID: 33517348
Hi firebar

I noticed this group and although have not tested it read about the permissions of this group at the link below, it seem as though this role may also have way too much responsibility.

http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx 

On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Because this group has significant power on domain controllers, add users with caution.

Back up files and directories; Change the system time; Force shutdown from a remote system; Allow log on locally; Restore files and directories; Shut down the system.
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33527127
What would be the chance of a member of this group having the skill to do all of the tasks listed in the article? Trust, but audit.
0
 
LVL 1

Author Comment

by:KCITS
ID: 33527474
Hi Firebar

I would prefer not let them have the ability to do any accidental harm, there are many "Toys" in SBS 2008 for an inquisitive person, and I guess they could cause quite a bit of damage with this level of access. How good an audit of their movements could be done of their actions when they are logged in?
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 33527526
I understand and can agree, but the only alternative is to create a custom group and manage user rights through group/security policies. There is a line where one approaches, that it may become worth one's time to evaluate whether or not the target user should even have access.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now