grant minimum permissions to an external user active directory 2003

Posted on 2011-04-19
Last Modified: 2012-08-13
Hopefully an easy one;

I need to create an account on our Windows 2003 DC for an external company to use to install some software.

I want it to have the most restrictive privelages possible, but just allow remote login and to install applications.

What permissions should I apply to the account? Currently it has Remote Desktop Users, Domain users and Builtin Administrators, but this still seems to allow access to ADUC etc.

Thanks in advance.
Question by:samfpt
    LVL 33

    Expert Comment

    It depends on where they're installing the applications and what permissions are already assigned to the various groups.  A domain user, in and of itself, may be adequate.  You might create a special, temporary group just for this user and give the group permission to do the necessary work.  That will allow you to target the permissions more appropriately.

    Author Comment

    Applications should only be to the local C:\

    The permissions are currently all standard / out of the box
    LVL 33

    Expert Comment

    Being a memeber of "Builtin Administrators" is why they can get to ADUC.  Your best bet may be to set them up as local administrators just on the machines they need to work on.

    Accepted Solution

    Found the answer, you can have local admin only on a DC by design in Server 2003. Basically it's domain admin or nothing.

    LVL 33

    Expert Comment

    Not true.  In fact, just the opposite.  

    Domain Controllers DO NOT have local administrators and rely on the Domain Admins group for administration.  

    Client machines in a domain also have a local administrator's group that give users and groups administrative permissions to that machine.

    Author Closing Comment

    Discovered the answer myself. Simple question, answer is that it's not really possible by design of Windows Server 2003.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now