Solved

System Administrator Limited Active Directory Rights

Posted on 2010-09-17
5
692 Views
Last Modified: 2012-05-10
I have a customer who would like their IT person to be able to manage computers and access shared data from a W2k3 SQL server and a SBS 2008 Server.  This person is currently a domain administrator and their boss would like them to not have access to other users mailboxes but still be able to perform thier daily duties.  Woudld removing them from the domain administrators group adding them to the "Domain Power User's" group be the right solution for this?  Any shared server resource access will be handled by sharing security, we just do not want them to logon locally to the SBS server or have the ability to look at higher management's email within exchange.
0
Comment
Question by:aungelbach
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
ChandarS earned 250 total points
ID: 33703179
You can install the admin pack on the client system, so the will get the AD MMC.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en

After that you can give "Account Operators" permission.
Here listed the deep list of rights, if you wnat some more

To know more http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
0
 

Author Comment

by:aungelbach
ID: 33703240
even though the account operators group allows logon locally to the server permissions, do they still have any ability to open anyone's exchange mailbox?
0
 
LVL 4

Expert Comment

by:ChandarS
ID: 33703276
If then Add them to Deny logon locally

http://technet.microsoft.com/en-us/library/cc957048.aspx

They do not have any exchnage permission, if they want in near future then
http://support.microsoft.com/kb/823018
0
 
LVL 39

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
ID: 33703760
Managing user access is a little tricky if you've never done it before. Removing the IT person from the Domain Admins group and adding them to Account Operators is very likely to break their ability to do what they need to do on a daily basis. For instance, Account Operators don't have the ability to operate as Admins on Local computers by default, so this person won't be able to add device drivers or run a lot of scripts. Your best bet is to create a new group in Active Directory, Add the user to that group, and configure different permissions to block the person's access to specific things. Their membership in the Domain Admins group will allow them to do what they need to, and setting up Access Control to Deny access for the new group will result in that user being blocked from taking those actions. You'll also need to configure is so the IT person doesn't have the ability to modify those permissions. In reality, it all depends on what needs to be blocked and what the user needs to do.
0
 

Author Closing Comment

by:aungelbach
ID: 33841584
a combination of all of these is what i will do.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question