Solved

WINDOWS 2012 - map drives copy files - controlling useing Group Policy

Posted on 2014-03-27
3
420 Views
Last Modified: 2014-04-03
Using Active Directory 2012, want to control by OU/groups what support users can/cannot do on individual member servers.
Scenario - have number of servers by role  Domain Controller, IIS servers, FTP Servers, DB servers (SQL), Applications Servers. Support users need to connect (RDP) to all servers but not to DC's. They will not be member of Domain Admin.  
Functions needed :- IIS, FTP,Application - RDP, stop/start services, create files/folders, map drives between servers
                                 DB servers - access to SQL DB's controlled by Group membership, RDP to server, stop/start services, create files/folders , map drives between folders

Most functions can be controlled by policy. But to map drives between servers you need to be member of Local Admin. This then negates group membership and DB access. i.e if we control DB access based by AD groups as soon as you are a member of local admin you can do everything.
So in 2013 how do I allow users to map drives between servers and rest of fucntionality without adding "local Admin" to their membership ?
0
Comment
Question by:ccfcfc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39958650
If user has got read and execute permissions on share folder, they don't require admin rights on workstation \ server to map drives

You can add "allow logon through terminal services" user rights to these support users in GPO and apply this GPO to OU containing your servers
OR
You can add required support users to remote desktop users group on servers

You can give delete gated permission to users on services through GPO to start\stop etc
http://windowsitpro.com/security/how-can-i-delegate-permission-user-or-group-control-certain-services

On individual folders you can grant support users required permissions, for that you can use file system permissions feature in GPO

Also you can add support users to power users group and Network Configuration Operators group on server and this can be achieved through GPO Preferences
http://technet.microsoft.com/en-us/library/cc771990.aspx

If you have IIS 7.0 \ 7.5, then you can create IIS user and grant him rights on web sites
http://technet.microsoft.com/en-us/library/cc771311(v=ws.10).aspx

Personally I'd provide support users in local administrators group on servers because they need to manage every aspect of app \ infra servers, this will not grant them domain admins rights and also they cannot logon to Domain controllers

Mahesh.
0
 

Author Comment

by:ccfcfc
ID: 39959046
Thanks for your reply mahesh,

As you said if i create users under local admnistrator group on servers ,  the local administartor groups can be able to access everything in sql server.

So how could we deny permissions for the local admnistrator group ,so that they have limited rights to access the db ?

Thanks
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39959957
By default you cannot restrict local administrators on any sever and to access any application on server

The workaround I can see is if you have separate SQL server, then you can grant required database users SQL sysadmin and Public rights on database so that they can access only that SQL database locally \ remotely

But still you need to assign some body as local administrator on actual SQL server and this is required for server administration, management, maintenance work, upgrades etc
You can have some trusted administrator, other wise you need to logon on to DB server as domain admins which is simply not resolve your question

Mahesh.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question