?
Solved

System Administrator Limited Active Directory Rights

Posted on 2010-09-17
5
Medium Priority
?
696 Views
Last Modified: 2012-05-10
I have a customer who would like their IT person to be able to manage computers and access shared data from a W2k3 SQL server and a SBS 2008 Server.  This person is currently a domain administrator and their boss would like them to not have access to other users mailboxes but still be able to perform thier daily duties.  Woudld removing them from the domain administrators group adding them to the "Domain Power User's" group be the right solution for this?  Any shared server resource access will be handled by sharing security, we just do not want them to logon locally to the SBS server or have the ability to look at higher management's email within exchange.
0
Comment
Question by:aungelbach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
ChandarS earned 1000 total points
ID: 33703179
You can install the admin pack on the client system, so the will get the AD MMC.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en

After that you can give "Account Operators" permission.
Here listed the deep list of rights, if you wnat some more

To know more http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
0
 

Author Comment

by:aungelbach
ID: 33703240
even though the account operators group allows logon locally to the server permissions, do they still have any ability to open anyone's exchange mailbox?
0
 
LVL 4

Expert Comment

by:ChandarS
ID: 33703276
If then Add them to Deny logon locally

http://technet.microsoft.com/en-us/library/cc957048.aspx

They do not have any exchnage permission, if they want in near future then
http://support.microsoft.com/kb/823018
0
 
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 1000 total points
ID: 33703760
Managing user access is a little tricky if you've never done it before. Removing the IT person from the Domain Admins group and adding them to Account Operators is very likely to break their ability to do what they need to do on a daily basis. For instance, Account Operators don't have the ability to operate as Admins on Local computers by default, so this person won't be able to add device drivers or run a lot of scripts. Your best bet is to create a new group in Active Directory, Add the user to that group, and configure different permissions to block the person's access to specific things. Their membership in the Domain Admins group will allow them to do what they need to, and setting up Access Control to Deny access for the new group will result in that user being blocked from taking those actions. You'll also need to configure is so the IT person doesn't have the ability to modify those permissions. In reality, it all depends on what needs to be blocked and what the user needs to do.
0
 

Author Closing Comment

by:aungelbach
ID: 33841584
a combination of all of these is what i will do.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
A hard and fast method for reducing Active Directory Administrators members.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month12 days, 15 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question