ccfcfc
asked on
WINDOWS 2012 - map drives copy files - controlling useing Group Policy
Using Active Directory 2012, want to control by OU/groups what support users can/cannot do on individual member servers.
Scenario - have number of servers by role Domain Controller, IIS servers, FTP Servers, DB servers (SQL), Applications Servers. Support users need to connect (RDP) to all servers but not to DC's. They will not be member of Domain Admin.
Functions needed :- IIS, FTP,Application - RDP, stop/start services, create files/folders, map drives between servers
DB servers - access to SQL DB's controlled by Group membership, RDP to server, stop/start services, create files/folders , map drives between folders
Most functions can be controlled by policy. But to map drives between servers you need to be member of Local Admin. This then negates group membership and DB access. i.e if we control DB access based by AD groups as soon as you are a member of local admin you can do everything.
So in 2013 how do I allow users to map drives between servers and rest of fucntionality without adding "local Admin" to their membership ?
Scenario - have number of servers by role Domain Controller, IIS servers, FTP Servers, DB servers (SQL), Applications Servers. Support users need to connect (RDP) to all servers but not to DC's. They will not be member of Domain Admin.
Functions needed :- IIS, FTP,Application - RDP, stop/start services, create files/folders, map drives between servers
DB servers - access to SQL DB's controlled by Group membership, RDP to server, stop/start services, create files/folders , map drives between folders
Most functions can be controlled by policy. But to map drives between servers you need to be member of Local Admin. This then negates group membership and DB access. i.e if we control DB access based by AD groups as soon as you are a member of local admin you can do everything.
So in 2013 how do I allow users to map drives between servers and rest of fucntionality without adding "local Admin" to their membership ?
ASKER
Thanks for your reply mahesh,
As you said if i create users under local admnistrator group on servers , the local administartor groups can be able to access everything in sql server.
So how could we deny permissions for the local admnistrator group ,so that they have limited rights to access the db ?
Thanks
As you said if i create users under local admnistrator group on servers , the local administartor groups can be able to access everything in sql server.
So how could we deny permissions for the local admnistrator group ,so that they have limited rights to access the db ?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can add "allow logon through terminal services" user rights to these support users in GPO and apply this GPO to OU containing your servers
OR
You can add required support users to remote desktop users group on servers
You can give delete gated permission to users on services through GPO to start\stop etc
http://windowsitpro.com/security/how-can-i-delegate-permission-user-or-group-control-certain-services
On individual folders you can grant support users required permissions, for that you can use file system permissions feature in GPO
Also you can add support users to power users group and Network Configuration Operators group on server and this can be achieved through GPO Preferences
http://technet.microsoft.com/en-us/library/cc771990.aspx
If you have IIS 7.0 \ 7.5, then you can create IIS user and grant him rights on web sites
http://technet.microsoft.com/en-us/library/cc771311(v=ws.10).aspx
Personally I'd provide support users in local administrators group on servers because they need to manage every aspect of app \ infra servers, this will not grant them domain admins rights and also they cannot logon to Domain controllers
Mahesh.