• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

WINDOWS 2012 - map drives copy files - controlling useing Group Policy

Using Active Directory 2012, want to control by OU/groups what support users can/cannot do on individual member servers.
Scenario - have number of servers by role  Domain Controller, IIS servers, FTP Servers, DB servers (SQL), Applications Servers. Support users need to connect (RDP) to all servers but not to DC's. They will not be member of Domain Admin.  
Functions needed :- IIS, FTP,Application - RDP, stop/start services, create files/folders, map drives between servers
                                 DB servers - access to SQL DB's controlled by Group membership, RDP to server, stop/start services, create files/folders , map drives between folders

Most functions can be controlled by policy. But to map drives between servers you need to be member of Local Admin. This then negates group membership and DB access. i.e if we control DB access based by AD groups as soon as you are a member of local admin you can do everything.
So in 2013 how do I allow users to map drives between servers and rest of fucntionality without adding "local Admin" to their membership ?
0
ccfcfc
Asked:
ccfcfc
  • 2
1 Solution
 
MaheshArchitectCommented:
If user has got read and execute permissions on share folder, they don't require admin rights on workstation \ server to map drives

You can add "allow logon through terminal services" user rights to these support users in GPO and apply this GPO to OU containing your servers
OR
You can add required support users to remote desktop users group on servers

You can give delete gated permission to users on services through GPO to start\stop etc
http://windowsitpro.com/security/how-can-i-delegate-permission-user-or-group-control-certain-services

On individual folders you can grant support users required permissions, for that you can use file system permissions feature in GPO

Also you can add support users to power users group and Network Configuration Operators group on server and this can be achieved through GPO Preferences
http://technet.microsoft.com/en-us/library/cc771990.aspx

If you have IIS 7.0 \ 7.5, then you can create IIS user and grant him rights on web sites
http://technet.microsoft.com/en-us/library/cc771311(v=ws.10).aspx

Personally I'd provide support users in local administrators group on servers because they need to manage every aspect of app \ infra servers, this will not grant them domain admins rights and also they cannot logon to Domain controllers

Mahesh.
0
 
ccfcfcAuthor Commented:
Thanks for your reply mahesh,

As you said if i create users under local admnistrator group on servers ,  the local administartor groups can be able to access everything in sql server.

So how could we deny permissions for the local admnistrator group ,so that they have limited rights to access the db ?

Thanks
0
 
MaheshArchitectCommented:
By default you cannot restrict local administrators on any sever and to access any application on server

The workaround I can see is if you have separate SQL server, then you can grant required database users SQL sysadmin and Public rights on database so that they can access only that SQL database locally \ remotely

But still you need to assign some body as local administrator on actual SQL server and this is required for server administration, management, maintenance work, upgrades etc
You can have some trusted administrator, other wise you need to logon on to DB server as domain admins which is simply not resolve your question

Mahesh.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now