Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 59
  • Last Modified:

Administrator Passwords and Rights

Hi

I have a Small Business Server 2011 and have the general administrator setup using a particular name, as is now the practice. However, I want to setup a 2nd administrator user who can add users, change user passwords, add PC to the domain, ie the usual day to day admin tasks.

But I dont want them to be able to change folder permissions on the server or be able to change the password for the main administrator.

Is this possible?

Thanks
0
JayHine
Asked:
JayHine
1 Solution
 
David AtkinIT ProfessionalCommented:
Hello,

The following should work.

Create a standard user account as normal (in the SBS Console) and then open ADUC and then right click the required OU and go through the Delegat Control wizard.  You will be able to select their access rights.  You will need to setup an MMC console for them on their PC to access active directory.

Make sure your admin account is not in this OU.

Non-Admins can add a PC onto the Domain if its for themselves using the connect wizard but they would need local admin rights setting on the PCs to be able to perform the PC admin tasks.
0
 
JayHineAuthor Commented:
would this new admin user be able to logon to the actual server console and check the backups and run certain other tasks.
0
 
David AtkinIT ProfessionalCommented:
No they would not be able to log onto the server unless you add them to the Server Operators, the Remote Desktop Users and the Backup Administrators security group.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
SandeshdubeyCommented:
Adding a user to the Server Operators group will allow them to manage a server but not give them access to manage AD.
 
Typically this right is assigned for Admins who need to be able to mange backups (can also be a backup administrator) but may also need to be able to manage event logs, update drivers and printers etc
 
Refer below link to Built-in Groups vs. Delegation
 http://www.windowsecurity.com/articles/built-in-groups-delegation.html
 http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
 
For AD related activity you can delegate control to Users/group depending upon the business environment.
 
How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986

http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/
 
I would also recommend to enable auditing if you are giving DS access to users/group for tracking there activities.
 http://itknowledgeexchange.techtarget.com/itanswers/how-to-give-an-account-local-admin-rights-only-on-a-domain-controller/
0
 
JayHineAuthor Commented:
ok
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now