• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 698
  • Last Modified:

System Administrator Limited Active Directory Rights

I have a customer who would like their IT person to be able to manage computers and access shared data from a W2k3 SQL server and a SBS 2008 Server.  This person is currently a domain administrator and their boss would like them to not have access to other users mailboxes but still be able to perform thier daily duties.  Woudld removing them from the domain administrators group adding them to the "Domain Power User's" group be the right solution for this?  Any shared server resource access will be handled by sharing security, we just do not want them to logon locally to the SBS server or have the ability to look at higher management's email within exchange.
0
aungelbach
Asked:
aungelbach
  • 2
  • 2
2 Solutions
 
ChandarSCommented:
You can install the admin pack on the client system, so the will get the AD MMC.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en

After that you can give "Account Operators" permission.
Here listed the deep list of rights, if you wnat some more

To know more http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
0
 
aungelbachAuthor Commented:
even though the account operators group allows logon locally to the server permissions, do they still have any ability to open anyone's exchange mailbox?
0
 
ChandarSCommented:
If then Add them to Deny logon locally

http://technet.microsoft.com/en-us/library/cc957048.aspx

They do not have any exchnage permission, if they want in near future then
http://support.microsoft.com/kb/823018
0
 
Adam BrownSr Solutions ArchitectCommented:
Managing user access is a little tricky if you've never done it before. Removing the IT person from the Domain Admins group and adding them to Account Operators is very likely to break their ability to do what they need to do on a daily basis. For instance, Account Operators don't have the ability to operate as Admins on Local computers by default, so this person won't be able to add device drivers or run a lot of scripts. Your best bet is to create a new group in Active Directory, Add the user to that group, and configure different permissions to block the person's access to specific things. Their membership in the Domain Admins group will allow them to do what they need to, and setting up Access Control to Deny access for the new group will result in that user being blocked from taking those actions. You'll also need to configure is so the IT person doesn't have the ability to modify those permissions. In reality, it all depends on what needs to be blocked and what the user needs to do.
0
 
aungelbachAuthor Commented:
a combination of all of these is what i will do.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now