Solved

WINDOWS 2012 - map drives copy files - controlling useing Group Policy

Posted on 2014-03-27
3
418 Views
Last Modified: 2014-04-03
Using Active Directory 2012, want to control by OU/groups what support users can/cannot do on individual member servers.
Scenario - have number of servers by role  Domain Controller, IIS servers, FTP Servers, DB servers (SQL), Applications Servers. Support users need to connect (RDP) to all servers but not to DC's. They will not be member of Domain Admin.  
Functions needed :- IIS, FTP,Application - RDP, stop/start services, create files/folders, map drives between servers
                                 DB servers - access to SQL DB's controlled by Group membership, RDP to server, stop/start services, create files/folders , map drives between folders

Most functions can be controlled by policy. But to map drives between servers you need to be member of Local Admin. This then negates group membership and DB access. i.e if we control DB access based by AD groups as soon as you are a member of local admin you can do everything.
So in 2013 how do I allow users to map drives between servers and rest of fucntionality without adding "local Admin" to their membership ?
0
Comment
Question by:ccfcfc
  • 2
3 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39958650
If user has got read and execute permissions on share folder, they don't require admin rights on workstation \ server to map drives

You can add "allow logon through terminal services" user rights to these support users in GPO and apply this GPO to OU containing your servers
OR
You can add required support users to remote desktop users group on servers

You can give delete gated permission to users on services through GPO to start\stop etc
http://windowsitpro.com/security/how-can-i-delegate-permission-user-or-group-control-certain-services

On individual folders you can grant support users required permissions, for that you can use file system permissions feature in GPO

Also you can add support users to power users group and Network Configuration Operators group on server and this can be achieved through GPO Preferences
http://technet.microsoft.com/en-us/library/cc771990.aspx

If you have IIS 7.0 \ 7.5, then you can create IIS user and grant him rights on web sites
http://technet.microsoft.com/en-us/library/cc771311(v=ws.10).aspx

Personally I'd provide support users in local administrators group on servers because they need to manage every aspect of app \ infra servers, this will not grant them domain admins rights and also they cannot logon to Domain controllers

Mahesh.
0
 

Author Comment

by:ccfcfc
ID: 39959046
Thanks for your reply mahesh,

As you said if i create users under local admnistrator group on servers ,  the local administartor groups can be able to access everything in sql server.

So how could we deny permissions for the local admnistrator group ,so that they have limited rights to access the db ?

Thanks
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39959957
By default you cannot restrict local administrators on any sever and to access any application on server

The workaround I can see is if you have separate SQL server, then you can grant required database users SQL sysadmin and Public rights on database so that they can access only that SQL database locally \ remotely

But still you need to assign some body as local administrator on actual SQL server and this is required for server administration, management, maintenance work, upgrades etc
You can have some trusted administrator, other wise you need to logon on to DB server as domain admins which is simply not resolve your question

Mahesh.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question