Using Active Directory 2012, want to control by OU/groups what support users can/cannot do on individual member servers.
Scenario - have number of servers by role Domain Controller, IIS servers, FTP Servers, DB servers (SQL), Applications Servers. Support users need to connect (RDP) to all servers but not to DC's. They will not be member of Domain Admin.
Functions needed :- IIS, FTP,Application - RDP, stop/start services, create files/folders, map drives between servers
DB servers - access to SQL DB's controlled by Group membership, RDP to server, stop/start services, create files/folders , map drives between folders
Most functions can be controlled by policy. But to map drives between servers you need to be member of Local Admin. This then negates group membership and DB access. i.e if we control DB access based by AD groups as soon as you are a member of local admin you can do everything.
So in 2013 how do I allow users to map drives between servers and rest of fucntionality without adding "local Admin" to their membership ?