Solved

How do i create administrator that able to manage users but unable to access users files ? (win2008)

Posted on 2011-03-10
6
343 Views
Last Modified: 2012-05-11
Is it possible to create such administrator ? One that can create, modify, delete user but unable to gain access to users files.
0
Comment
Question by:fluxbox
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 8

Expert Comment

by:afthab
ID: 35105094
There are limitations for customization . ... In real cases it is not possible but it depends the environment.

Is this domain administrator ? Which files/folders should be blocked for the particular user ?
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35105535
In permisions the most restrictive is applied.
You could place a user in the administrators or domain administrators group that would allow them to create and manage users.
Then configure their user to be denied access to a set of user files.

Even though as the administrator they would have access to the files, the deny permission would be applied keeping them out.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35106423
Well, you can put them into the Account Operators group, which is a much better idea than making them a domain admin because a domain admin would be able to change the NTFS permissions on a server.
http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

If the Account Operators have too much power, you can delegate permissions in AD at a very granular level.
http://www.tech-faq.com/how-to-delegate-administrator-privileges-in-active-directory.html
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:fluxbox
ID: 35114432
@afthab
Particularly, i don't want the aid administrator gain access to users profile. e.g. c:\users\<username>\

@austincomputerlabs
i tried, it works but he can forcefully take ownership. now, how do i prevent this account (which is in administrators group) from taking ownership.

@kevinhsieh
the server is a TS server not connected to AD. but i'll try anyway, i'll post result
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 35115041
There is no way that I know of to allow a non-administrator to manage the local users on a computer. If you do make someone an administrator, it is not possible to prevent them from accessing any of the files. Anything that you do such as put an explicit deny on the folders can be changed by an administrator.  What you want can be done on a domain level, but not on a machine level. My suggestion is that you need to trust your "administrators", or join the TS server to your domain.
0
 

Author Comment

by:fluxbox
ID: 35134636
Yeah, i guess there is no around it. Moving it to domain is the way to go.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question