?
Solved

WINDOWS 2012 - map drives copy files - controlling useing Group Policy

Posted on 2014-03-27
3
Medium Priority
?
425 Views
Last Modified: 2014-04-03
Using Active Directory 2012, want to control by OU/groups what support users can/cannot do on individual member servers.
Scenario - have number of servers by role  Domain Controller, IIS servers, FTP Servers, DB servers (SQL), Applications Servers. Support users need to connect (RDP) to all servers but not to DC's. They will not be member of Domain Admin.  
Functions needed :- IIS, FTP,Application - RDP, stop/start services, create files/folders, map drives between servers
                                 DB servers - access to SQL DB's controlled by Group membership, RDP to server, stop/start services, create files/folders , map drives between folders

Most functions can be controlled by policy. But to map drives between servers you need to be member of Local Admin. This then negates group membership and DB access. i.e if we control DB access based by AD groups as soon as you are a member of local admin you can do everything.
So in 2013 how do I allow users to map drives between servers and rest of fucntionality without adding "local Admin" to their membership ?
0
Comment
Question by:ccfcfc
  • 2
3 Comments
 
LVL 39

Expert Comment

by:Mahesh
ID: 39958650
If user has got read and execute permissions on share folder, they don't require admin rights on workstation \ server to map drives

You can add "allow logon through terminal services" user rights to these support users in GPO and apply this GPO to OU containing your servers
OR
You can add required support users to remote desktop users group on servers

You can give delete gated permission to users on services through GPO to start\stop etc
http://windowsitpro.com/security/how-can-i-delegate-permission-user-or-group-control-certain-services

On individual folders you can grant support users required permissions, for that you can use file system permissions feature in GPO

Also you can add support users to power users group and Network Configuration Operators group on server and this can be achieved through GPO Preferences
http://technet.microsoft.com/en-us/library/cc771990.aspx

If you have IIS 7.0 \ 7.5, then you can create IIS user and grant him rights on web sites
http://technet.microsoft.com/en-us/library/cc771311(v=ws.10).aspx

Personally I'd provide support users in local administrators group on servers because they need to manage every aspect of app \ infra servers, this will not grant them domain admins rights and also they cannot logon to Domain controllers

Mahesh.
0
 

Author Comment

by:ccfcfc
ID: 39959046
Thanks for your reply mahesh,

As you said if i create users under local admnistrator group on servers ,  the local administartor groups can be able to access everything in sql server.

So how could we deny permissions for the local admnistrator group ,so that they have limited rights to access the db ?

Thanks
0
 
LVL 39

Accepted Solution

by:
Mahesh earned 1500 total points
ID: 39959957
By default you cannot restrict local administrators on any sever and to access any application on server

The workaround I can see is if you have separate SQL server, then you can grant required database users SQL sysadmin and Public rights on database so that they can access only that SQL database locally \ remotely

But still you need to assign some body as local administrator on actual SQL server and this is required for server administration, management, maintenance work, upgrades etc
You can have some trusted administrator, other wise you need to logon on to DB server as domain admins which is simply not resolve your question

Mahesh.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question