[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 474
  • Last Modified:

grant minimum permissions to an external user active directory 2003

Hopefully an easy one;

I need to create an account on our Windows 2003 DC for an external company to use to install some software.

I want it to have the most restrictive privelages possible, but just allow remote login and to install applications.

What permissions should I apply to the account? Currently it has Remote Desktop Users, Domain users and Builtin Administrators, but this still seems to allow access to ADUC etc.

Thanks in advance.
0
samfpt
Asked:
samfpt
  • 3
  • 3
1 Solution
 
Paul MacDonaldDirector, Information SystemsCommented:
It depends on where they're installing the applications and what permissions are already assigned to the various groups.  A domain user, in and of itself, may be adequate.  You might create a special, temporary group just for this user and give the group permission to do the necessary work.  That will allow you to target the permissions more appropriately.
0
 
samfptAuthor Commented:
Applications should only be to the local C:\

The permissions are currently all standard / out of the box
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Being a memeber of "Builtin Administrators" is why they can get to ADUC.  Your best bet may be to set them up as local administrators just on the machines they need to work on.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
samfptAuthor Commented:
Found the answer, you can have local admin only on a DC by design in Server 2003. Basically it's domain admin or nothing.

0
 
Paul MacDonaldDirector, Information SystemsCommented:
Not true.  In fact, just the opposite.  

Domain Controllers DO NOT have local administrators and rely on the Domain Admins group for administration.  

Client machines in a domain also have a local administrator's group that give users and groups administrative permissions to that machine.
0
 
samfptAuthor Commented:
Discovered the answer myself. Simple question, answer is that it's not really possible by design of Windows Server 2003.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now