SBS 2008 Limited Network Administrator

Posted on 2011-10-02
Last Modified: 2012-05-30

I am trying to create a user on my SBS 2008 server that has limited administrative abilities.  I need them to have full administrative access to the workstations and the ability to create standard users and change passwords in the SBS Console but nothing more on the server.  How is this done?
Question by:leadingsx
    LVL 70

    Accepted Solution

    Create a group, add the user to the group (its much easier then to remove the rights, or to give the same rights to another user)

    Next use the delegation of control wizard to give the necessary rights to the group
    LVL 17

    Assisted Solution

    Yes. Delegate control in AD so they can change passwords.
    Use restricted groups in GP to give the group you created local admin rights on the workstations

    Author Comment

    Thank you for that information.  I forgot to mentionion that I need my restricted network administrator to be able to register a workstation on the domain.  so by using restricted groups, how to I do the following:
    1.  Allow restricted network administrator user to add a standard user account on the SBS 2008 server via Windows SBS Console
    2.  Allow the restricted network administrator user to change/reset passwords via Windows SBS Console.
    3.  Allow the restricted network administrator user to register a workstation to the domain controller

    I have create a standard user account for my restricted network administrator since I do not what to elevate them to a Network Admin on the domain controller.
    LVL 6

    Assisted Solution

    Leadingsx, as mentioned above some of this will need to be done through delegate control. The part of regarding adding a non-domain admin to the local admin group can be done much easier through the SBS console, than having to deal with restricted groups in GP that can get rather choppy. This can be done on the computer section of the SBS console, you can set them as a standard user or a local admin. You should be able to have a non domain add computers to a domain for up to 10 computers.

    For, the the other two items on your list, you will want to do this through delegated control which can be accessed through AD Users & Computers. I would not do this on the domain level, but rather on the 'My Business' Level. Right click on 'My Business' and select 'Delegate Control'. Select the user or group that you want to delegate control. Select the ability to add users and change/reset passwords and click next and finish.

    I have not fully tested this and I am putting this out there. This does not give the ability to access the server, and I am not sure how delegated control plays with sbs console. In a non-sbs environment this would work, though I cannot say that I have tested this in an SBS environment. I know on the AD side it will work, but as you may or may not know, SBS relies on the wizards to function correctly, which include the Add user wizard.

    Assisted Solution

    Thank you for your input.  I did read about using delegate control.  I also found that I could use account operator group.  Account Operator group gave the user the ability to log onto the server and add, remove, and change passwords through Active Directory.  It also allows the user to register systems on the domain.  I am a bit stuck though since it does not give the user the ability to open and use SBS console.  This poses a problem since users need to be created via the console instead of AD.  I found this article that shows you are not able to use SBS console unless you are Network Admin:


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now