SBS 2008 Limited Network Administrator


I am trying to create a user on my SBS 2008 server that has limited administrative abilities.  I need them to have full administrative access to the workstations and the ability to create standard users and change passwords in the SBS Console but nothing more on the server.  How is this done?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
Create a group, add the user to the group (its much easier then to remove the rights, or to give the same rights to another user)

Next use the delegation of control wizard to give the necessary rights to the group

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew OakeleyConsultantCommented:
Yes. Delegate control in AD so they can change passwords.
Use restricted groups in GP to give the group you created local admin rights on the workstations
leadingsxAuthor Commented:
Thank you for that information.  I forgot to mentionion that I need my restricted network administrator to be able to register a workstation on the domain.  so by using restricted groups, how to I do the following:
1.  Allow restricted network administrator user to add a standard user account on the SBS 2008 server via Windows SBS Console
2.  Allow the restricted network administrator user to change/reset passwords via Windows SBS Console.
3.  Allow the restricted network administrator user to register a workstation to the domain controller

I have create a standard user account for my restricted network administrator since I do not what to elevate them to a Network Admin on the domain controller.
Leadingsx, as mentioned above some of this will need to be done through delegate control. The part of regarding adding a non-domain admin to the local admin group can be done much easier through the SBS console, than having to deal with restricted groups in GP that can get rather choppy. This can be done on the computer section of the SBS console, you can set them as a standard user or a local admin. You should be able to have a non domain add computers to a domain for up to 10 computers.

For, the the other two items on your list, you will want to do this through delegated control which can be accessed through AD Users & Computers. I would not do this on the domain level, but rather on the 'My Business' Level. Right click on 'My Business' and select 'Delegate Control'. Select the user or group that you want to delegate control. Select the ability to add users and change/reset passwords and click next and finish.

I have not fully tested this and I am putting this out there. This does not give the ability to access the server, and I am not sure how delegated control plays with sbs console. In a non-sbs environment this would work, though I cannot say that I have tested this in an SBS environment. I know on the AD side it will work, but as you may or may not know, SBS relies on the wizards to function correctly, which include the Add user wizard.
leadingsxAuthor Commented:
Thank you for your input.  I did read about using delegate control.  I also found that I could use account operator group.  Account Operator group gave the user the ability to log onto the server and add, remove, and change passwords through Active Directory.  It also allows the user to register systems on the domain.  I am a bit stuck though since it does not give the user the ability to open and use SBS console.  This poses a problem since users need to be created via the console instead of AD.  I found this article that shows you are not able to use SBS console unless you are Network Admin:

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.