Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

WINDOWS 2012 - map drives copy files - controlling useing Group Policy

Posted on 2014-03-27
3
Medium Priority
?
424 Views
Last Modified: 2014-04-03
Using Active Directory 2012, want to control by OU/groups what support users can/cannot do on individual member servers.
Scenario - have number of servers by role  Domain Controller, IIS servers, FTP Servers, DB servers (SQL), Applications Servers. Support users need to connect (RDP) to all servers but not to DC's. They will not be member of Domain Admin.  
Functions needed :- IIS, FTP,Application - RDP, stop/start services, create files/folders, map drives between servers
                                 DB servers - access to SQL DB's controlled by Group membership, RDP to server, stop/start services, create files/folders , map drives between folders

Most functions can be controlled by policy. But to map drives between servers you need to be member of Local Admin. This then negates group membership and DB access. i.e if we control DB access based by AD groups as soon as you are a member of local admin you can do everything.
So in 2013 how do I allow users to map drives between servers and rest of fucntionality without adding "local Admin" to their membership ?
0
Comment
Question by:ccfcfc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 39958650
If user has got read and execute permissions on share folder, they don't require admin rights on workstation \ server to map drives

You can add "allow logon through terminal services" user rights to these support users in GPO and apply this GPO to OU containing your servers
OR
You can add required support users to remote desktop users group on servers

You can give delete gated permission to users on services through GPO to start\stop etc
http://windowsitpro.com/security/how-can-i-delegate-permission-user-or-group-control-certain-services

On individual folders you can grant support users required permissions, for that you can use file system permissions feature in GPO

Also you can add support users to power users group and Network Configuration Operators group on server and this can be achieved through GPO Preferences
http://technet.microsoft.com/en-us/library/cc771990.aspx

If you have IIS 7.0 \ 7.5, then you can create IIS user and grant him rights on web sites
http://technet.microsoft.com/en-us/library/cc771311(v=ws.10).aspx

Personally I'd provide support users in local administrators group on servers because they need to manage every aspect of app \ infra servers, this will not grant them domain admins rights and also they cannot logon to Domain controllers

Mahesh.
0
 

Author Comment

by:ccfcfc
ID: 39959046
Thanks for your reply mahesh,

As you said if i create users under local admnistrator group on servers ,  the local administartor groups can be able to access everything in sql server.

So how could we deny permissions for the local admnistrator group ,so that they have limited rights to access the db ?

Thanks
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1500 total points
ID: 39959957
By default you cannot restrict local administrators on any sever and to access any application on server

The workaround I can see is if you have separate SQL server, then you can grant required database users SQL sysadmin and Public rights on database so that they can access only that SQL database locally \ remotely

But still you need to assign some body as local administrator on actual SQL server and this is required for server administration, management, maintenance work, upgrades etc
You can have some trusted administrator, other wise you need to logon on to DB server as domain admins which is simply not resolve your question

Mahesh.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question