create a Domain User to Read Only access for domain controller

Dear All

We want to give Domain User to Read Only access Main Domain Controller (via remote desktop) to  create documentation about this server. Does some one know how to accomplish this? below is the request from our regional IT in oversea

 - IP address & name of your domain controler server(s)
 - account (ID & password) with read-only access to this(these) server(s) ; with both forms : "net bios domain name "\"user name" and "user name"@"domain name" (upn)

i have created an normal account and added this account into "computer configuration" -> window setting -> security setting -> local policies -> user right assignment -> allow logon locally , and put the account into "remote desktop group in server", i have tried to use the created account to login via remote desktop, it doesnt allow, it said i have to add this account into terminal services and remote desktop user group, which i already did, and then i have added this account into administrators group, and it could remote with the account, but found out that the account can login to the server (via remote desktop) and has full rights to delete and create account, how do i only gain this account read only ?  do i need to set delegate control ? to allow only read for this account ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I think the request (or what you're going to allow/disallow) needs to be much more granular.
Sure, you can add a domain user to the remote desktop users group to allow RDP logon.
After they log on, what snap-ins or tools are they going to use to document the server?
If they RDP in, then you'd have to be sure NTFS permissions are set on all files/folders so that user couldn't change/edit/del files/folders. I think you need to Delegate with the wizard (at a minimum). I think you have to pick & choose what snap-ins/tools will be used to gather information, then allow read access. Are they going to launch "AD users & computers" or need the Event Viewer or the DNS service, etc? I think just saying "allow a user read only access" in too broad. You need to define what tools are required to obtain the necessary information then give access to those tools or snap-ins. Delegation Wizard has pre-defined and custom settings. You really can get in-depth with the custom options but you really have to know what you're doing,
Seth SimmonsSr. Systems AdministratorCommented:
why do you keep opening new questions asking the same thing?  your other 2 questions from the last 2 days you are deleting because "nobody is helping" though doesn't seem like you are doing much with people's suggestions.

did you ever think that maybe what you are trying to accomplish is not possible?  you are asking essentially for full login access to a server but can't change anything.  if you were a bit more verbose as to what kind of documentation you are looking for, there could be other ways to obtain the data such as using mmc tools remotely or retrieving configuration items through wmi.

or, just get the information yourself.  you could get what's needed for the person putting the documentation together so you don't have to waste time spinning your wheels for days on this, messing with termserv rights and group policies and could do more harm than good
piaakitAuthor Commented:
i found out that to add the domain account in the remote desktop user arent enough, i will get the error see (below screenshot) i will have to add the domain user account into the administrators group, if i added the domain user account in administrators group, and the delegate control will disallow the user to modify such as in the active directory user and computer, dns and domain and trust ?


is below in red the correct policy to enable  ?

logon with RDP
Why do they need to upn name and net bios name ?

 - IP address & name of your domain controler server(s)
 - account (ID & password) with read-only access to this(these) server(s) ; with both forms : "net bios domain name "\"user name" and "user name"@"domain name" (upn)
Adding the domain user to the remote desktop users group should be enough.  You don't need to modify the "not defined" policy you highlighted. Maybe the Remote Desktop Users group was removed from the Security tab in RDP-TCP. It's there by default but maybe somebody removed it.

Do this:

Click Start, point to Programs, point to Administrative Tools, Remote Desktop Services and then click Terminal Services Configuration.
in the tree in the left pane, click Connections.
Double click the RDP-TCP connection in the right pane.
Click the Permissions tab.
Make sure Remote Desktop Users is listed here and granted access
  or just add your individual here instead
You could set security to "guest access" which grants log on only and not other terminal server rights.

Aside from the above I agree with the poster "Seth2740". You need to discuss this with the people making the request. What you're asking is too broad of a question. You need to find out what information they need to collect then determine what tools will work best. At least if you listed here what information needed to be documented, experts-exchange posters could suggest how to accomplish best while restricting rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
piaakitAuthor Commented:
Hi All

            You are correct, sorry for opening so many posts
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.