Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

How do i create administrator that able to manage users but unable to access users files ? (win2008)

Is it possible to create such administrator ? One that can create, modify, delete user but unable to gain access to users files.
0
fluxbox
Asked:
fluxbox
1 Solution
 
afthabCommented:
There are limitations for customization . ... In real cases it is not possible but it depends the environment.

Is this domain administrator ? Which files/folders should be blocked for the particular user ?
0
 
AustinComputerLabsCommented:
In permisions the most restrictive is applied.
You could place a user in the administrators or domain administrators group that would allow them to create and manage users.
Then configure their user to be denied access to a set of user files.

Even though as the administrator they would have access to the files, the deny permission would be applied keeping them out.
0
 
kevinhsiehCommented:
Well, you can put them into the Account Operators group, which is a much better idea than making them a domain admin because a domain admin would be able to change the NTFS permissions on a server.
http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

If the Account Operators have too much power, you can delegate permissions in AD at a very granular level.
http://www.tech-faq.com/how-to-delegate-administrator-privileges-in-active-directory.html
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
fluxboxAuthor Commented:
@afthab
Particularly, i don't want the aid administrator gain access to users profile. e.g. c:\users\<username>\

@austincomputerlabs
i tried, it works but he can forcefully take ownership. now, how do i prevent this account (which is in administrators group) from taking ownership.

@kevinhsieh
the server is a TS server not connected to AD. but i'll try anyway, i'll post result
0
 
kevinhsiehCommented:
There is no way that I know of to allow a non-administrator to manage the local users on a computer. If you do make someone an administrator, it is not possible to prevent them from accessing any of the files. Anything that you do such as put an explicit deny on the folders can be changed by an administrator.  What you want can be done on a domain level, but not on a machine level. My suggestion is that you need to trust your "administrators", or join the TS server to your domain.
0
 
fluxboxAuthor Commented:
Yeah, i guess there is no around it. Moving it to domain is the way to go.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now