Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

System Administrator Limited Active Directory Rights

Posted on 2010-09-17
5
Medium Priority
?
697 Views
Last Modified: 2012-05-10
I have a customer who would like their IT person to be able to manage computers and access shared data from a W2k3 SQL server and a SBS 2008 Server.  This person is currently a domain administrator and their boss would like them to not have access to other users mailboxes but still be able to perform thier daily duties.  Woudld removing them from the domain administrators group adding them to the "Domain Power User's" group be the right solution for this?  Any shared server resource access will be handled by sharing security, we just do not want them to logon locally to the SBS server or have the ability to look at higher management's email within exchange.
0
Comment
Question by:aungelbach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
ChandarS earned 1000 total points
ID: 33703179
You can install the admin pack on the client system, so the will get the AD MMC.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en

After that you can give "Account Operators" permission.
Here listed the deep list of rights, if you wnat some more

To know more http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
0
 

Author Comment

by:aungelbach
ID: 33703240
even though the account operators group allows logon locally to the server permissions, do they still have any ability to open anyone's exchange mailbox?
0
 
LVL 4

Expert Comment

by:ChandarS
ID: 33703276
If then Add them to Deny logon locally

http://technet.microsoft.com/en-us/library/cc957048.aspx

They do not have any exchnage permission, if they want in near future then
http://support.microsoft.com/kb/823018
0
 
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 1000 total points
ID: 33703760
Managing user access is a little tricky if you've never done it before. Removing the IT person from the Domain Admins group and adding them to Account Operators is very likely to break their ability to do what they need to do on a daily basis. For instance, Account Operators don't have the ability to operate as Admins on Local computers by default, so this person won't be able to add device drivers or run a lot of scripts. Your best bet is to create a new group in Active Directory, Add the user to that group, and configure different permissions to block the person's access to specific things. Their membership in the Domain Admins group will allow them to do what they need to, and setting up Access Control to Deny access for the new group will result in that user being blocked from taking those actions. You'll also need to configure is so the IT person doesn't have the ability to modify those permissions. In reality, it all depends on what needs to be blocked and what the user needs to do.
0
 

Author Closing Comment

by:aungelbach
ID: 33841584
a combination of all of these is what i will do.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question