a77
asked on
delegate control to a domain user without letting him have access to AD
Hello,
I want to install Symantec Endpoint Protection Manager on my domain controller (whether it's a good idea or not), and i want to let a domain user to manage it, so i want to give him permission to be able to connect to the server RDP, and manage the antivirus manager, but i don't want him to be able to do anything more like messing arround the AD or any other role, just the ability to manage that manager and log off, how can i do that ?
(i'm using windows server 2008 R2 btw)
Thanks !
I want to install Symantec Endpoint Protection Manager on my domain controller (whether it's a good idea or not), and i want to let a domain user to manage it, so i want to give him permission to be able to connect to the server RDP, and manage the antivirus manager, but i don't want him to be able to do anything more like messing arround the AD or any other role, just the ability to manage that manager and log off, how can i do that ?
(i'm using windows server 2008 R2 btw)
Thanks !
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you install semantic end point protection manager on domain controller so you will face a lot of problems with your clients which are the members of domain controller, i had a very bad experience with this. when i installed that i had several issue and finally decided to remove that.
what i would suggest is to install that on normal comptuer and give local admin access to any of your guys and let him to manage.
what i would suggest is to install that on normal comptuer and give local admin access to any of your guys and let him to manage.
Anyhow if you really want to install on the domain controller you can put the user in the group "your domain\Remote Desktop Users". That way he can logon to the DC but has no administrative rights on it. Though this is definitely not best practice I guess you should be pretty safe that way.
kevinhsieh,
> It is also possible to give access to ALL Domain Controllers by adding to the domain Remote Desktop users group.
> That doesn't require domain admin rights.
By default local security policy on Domain Controllers (via Default Domain Controllers Policy) only grants RDP access to members of the Administrators group. Allow log on locally is marginally less restrictive, but I can't really recommend making the user into that.
I like your first suggestion though, local copy of the console is preferable :)
Chris
> It is also possible to give access to ALL Domain Controllers by adding to the domain Remote Desktop users group.
> That doesn't require domain admin rights.
By default local security policy on Domain Controllers (via Default Domain Controllers Policy) only grants RDP access to members of the Administrators group. Allow log on locally is marginally less restrictive, but I can't really recommend making the user into that.
I like your first suggestion though, local copy of the console is preferable :)
Chris
You cannot. Sorry.
If it were anything but a Domain Controller you'd stand a chance, but it's not, so you're a bit out of luck I'm afraid.
Chris