Solved

Administrator Passwords and Rights

Posted on 2013-11-20
7
56 Views
Last Modified: 2015-06-23
Hi

I have a Small Business Server 2011 and have the general administrator setup using a particular name, as is now the practice. However, I want to setup a 2nd administrator user who can add users, change user passwords, add PC to the domain, ie the usual day to day admin tasks.

But I dont want them to be able to change folder permissions on the server or be able to change the password for the main administrator.

Is this possible?

Thanks
0
Comment
Question by:JayHine
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 22

Expert Comment

by:David Atkin
ID: 39663008
Hello,

The following should work.

Create a standard user account as normal (in the SBS Console) and then open ADUC and then right click the required OU and go through the Delegat Control wizard.  You will be able to select their access rights.  You will need to setup an MMC console for them on their PC to access active directory.

Make sure your admin account is not in this OU.

Non-Admins can add a PC onto the Domain if its for themselves using the connect wizard but they would need local admin rights setting on the PCs to be able to perform the PC admin tasks.
0
 

Author Comment

by:JayHine
ID: 39663043
would this new admin user be able to logon to the actual server console and check the backups and run certain other tasks.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39663094
No they would not be able to log onto the server unless you add them to the Server Operators, the Remote Desktop Users and the Backup Administrators security group.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39665164
Adding a user to the Server Operators group will allow them to manage a server but not give them access to manage AD.
 
Typically this right is assigned for Admins who need to be able to mange backups (can also be a backup administrator) but may also need to be able to manage event logs, update drivers and printers etc
 
Refer below link to Built-in Groups vs. Delegation
 http://www.windowsecurity.com/articles/built-in-groups-delegation.html
 http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
 
For AD related activity you can delegate control to Users/group depending upon the business environment.
 
How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986

http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/
 
I would also recommend to enable auditing if you are giving DS access to users/group for tracking there activities.
 http://itknowledgeexchange.techtarget.com/itanswers/how-to-give-an-account-local-admin-rights-only-on-a-domain-controller/
0
 

Author Comment

by:JayHine
ID: 39785216
ok
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40845800
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question