Solved

System Administrator Limited Active Directory Rights

Posted on 2010-09-17
5
690 Views
Last Modified: 2012-05-10
I have a customer who would like their IT person to be able to manage computers and access shared data from a W2k3 SQL server and a SBS 2008 Server.  This person is currently a domain administrator and their boss would like them to not have access to other users mailboxes but still be able to perform thier daily duties.  Woudld removing them from the domain administrators group adding them to the "Domain Power User's" group be the right solution for this?  Any shared server resource access will be handled by sharing security, we just do not want them to logon locally to the SBS server or have the ability to look at higher management's email within exchange.
0
Comment
Question by:aungelbach
  • 2
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
ChandarS earned 250 total points
Comment Utility
You can install the admin pack on the client system, so the will get the AD MMC.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en

After that you can give "Account Operators" permission.
Here listed the deep list of rights, if you wnat some more

To know more http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
0
 

Author Comment

by:aungelbach
Comment Utility
even though the account operators group allows logon locally to the server permissions, do they still have any ability to open anyone's exchange mailbox?
0
 
LVL 4

Expert Comment

by:ChandarS
Comment Utility
If then Add them to Deny logon locally

http://technet.microsoft.com/en-us/library/cc957048.aspx

They do not have any exchnage permission, if they want in near future then
http://support.microsoft.com/kb/823018
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 250 total points
Comment Utility
Managing user access is a little tricky if you've never done it before. Removing the IT person from the Domain Admins group and adding them to Account Operators is very likely to break their ability to do what they need to do on a daily basis. For instance, Account Operators don't have the ability to operate as Admins on Local computers by default, so this person won't be able to add device drivers or run a lot of scripts. Your best bet is to create a new group in Active Directory, Add the user to that group, and configure different permissions to block the person's access to specific things. Their membership in the Domain Admins group will allow them to do what they need to, and setting up Access Control to Deny access for the new group will result in that user being blocked from taking those actions. You'll also need to configure is so the IT person doesn't have the ability to modify those permissions. In reality, it all depends on what needs to be blocked and what the user needs to do.
0
 

Author Closing Comment

by:aungelbach
Comment Utility
a combination of all of these is what i will do.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now