SBS 2008 Limited Network Administrator


I am trying to create a user on my SBS 2008 server that has limited administrative abilities.  I need them to have full administrative access to the workstations and the ability to create standard users and change passwords in the SBS Console but nothing more on the server.  How is this done?
Who is Participating?
Brian PiercePhotographerCommented:
Create a group, add the user to the group (its much easier then to remove the rights, or to give the same rights to another user)

Next use the delegation of control wizard to give the necessary rights to the group
Andrew OakeleyConsultantCommented:
Yes. Delegate control in AD so they can change passwords.
Use restricted groups in GP to give the group you created local admin rights on the workstations
leadingsxAuthor Commented:
Thank you for that information.  I forgot to mentionion that I need my restricted network administrator to be able to register a workstation on the domain.  so by using restricted groups, how to I do the following:
1.  Allow restricted network administrator user to add a standard user account on the SBS 2008 server via Windows SBS Console
2.  Allow the restricted network administrator user to change/reset passwords via Windows SBS Console.
3.  Allow the restricted network administrator user to register a workstation to the domain controller

I have create a standard user account for my restricted network administrator since I do not what to elevate them to a Network Admin on the domain controller.
Leadingsx, as mentioned above some of this will need to be done through delegate control. The part of regarding adding a non-domain admin to the local admin group can be done much easier through the SBS console, than having to deal with restricted groups in GP that can get rather choppy. This can be done on the computer section of the SBS console, you can set them as a standard user or a local admin. You should be able to have a non domain add computers to a domain for up to 10 computers.

For, the the other two items on your list, you will want to do this through delegated control which can be accessed through AD Users & Computers. I would not do this on the domain level, but rather on the 'My Business' Level. Right click on 'My Business' and select 'Delegate Control'. Select the user or group that you want to delegate control. Select the ability to add users and change/reset passwords and click next and finish.

I have not fully tested this and I am putting this out there. This does not give the ability to access the server, and I am not sure how delegated control plays with sbs console. In a non-sbs environment this would work, though I cannot say that I have tested this in an SBS environment. I know on the AD side it will work, but as you may or may not know, SBS relies on the wizards to function correctly, which include the Add user wizard.
leadingsxAuthor Commented:
Thank you for your input.  I did read about using delegate control.  I also found that I could use account operator group.  Account Operator group gave the user the ability to log onto the server and add, remove, and change passwords through Active Directory.  It also allows the user to register systems on the domain.  I am a bit stuck though since it does not give the user the ability to open and use SBS console.  This poses a problem since users need to be created via the console instead of AD.  I found this article that shows you are not able to use SBS console unless you are Network Admin:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.