Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 101
  • Last Modified:

How can we configure a domain admin user without having Exchange admin rights?

We have a Small Business Server 2011, patched to the latest service packs and updates including those for Exchange 2010.

We have a requirement to set up a user (or group of users) that are able to perform administrative tasks on the server (add/remove users, reset passwords, set file/share permissions, check and configure backups, etc.) but without having Exchange admin rights (basically, so they are unable to grant themselves or others access to mailboxes).

Is this possible on SBS2011?  If so, how do we go about configuring it?

Thanks in advance as always.
0
David Haycox
Asked:
David Haycox
  • 6
  • 4
  • 3
  • +2
3 Solutions
 
McKnifeCommented:
Hi.

You can do it, but you would not make him domain admin but use the delegation of control wizard to delegate AD permissions ->add/remove users, reset passwords can be delegated. To let him set file share permissions, he will need an ACL-entry with full access for himself, that's all - he does not need to be domain admin.

To check backups, he does not need to be domain admin either, but the requirements here are not clear since we don't know your backup solution.
0
 
David HaycoxAuthor Commented:
Thanks for that.  We're using the built-in Windows Server / SBS Backup to rotated USB drives.
0
 
McKnifeCommented:
And checking backups means he would need to look at the logs simply? Then he needs read access to the logfile, that's all.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Larry Struckmeyer MVPCommented:
Have not checked this myself because it has never been an issue.... but wondering if the Console Add User Wizard will work if the user has no Exchange rights..... since the Add User Wizard does create the users mailbox.
0
 
McKnifeCommented:
Larry, you could be right - I never used an SBS apart from initial testing many years ago. So if that wizard is the only way and if it automatically tries to create an account, of course that would fail. But inside the exchange part we might be delegations, too, don't we? Sorry, I won't be able to test.
0
 
Larry Struckmeyer MVPCommented:
Apart from the Wizard, which is the best way to manage an SBS, why would you want to create a new user with no mailbox?  The original question had to do with that.  I guess that as long as the activities of this "super user" did not include any exchange functions (changing a name as another example), one might be able to do what is described..... as long as you can figure out a way to enable this person to logon to the server in the first place.
0
 
David HaycoxAuthor Commented:
Interesting comments!  I would suspect the SBS wizards would break if the user is not a domain / Exchange admin, so for ease I'll remove the requirement to add new users (and anything else that involves Exchange).

To allow the user to log on to the server you can add the user/group to the "allow log on through Remote Desktop Services" setting (Computer Configuration, Windows Settings, Security Settings, User Rights Assignment) in local policy (GPEDIT.MSC) or in a group policy.

That doesn't make the user a local admin though, so while he/she can log on there's a UAC prompt when trying to do pretty much anything (like running MMC or the Server Backup console).

So does he have to use remote admin tools, or is there a way to allow him to log on by Remote Desktop to run e.g. MMC locally?
0
 
Larry Struckmeyer MVPCommented:
I think you are overthinking this.  Either you trust this person(s) or not.  If you can't trust them they have NO business connecting to your servers with anything but shares.  Full Stop.
0
 
Gareth GudgerCommented:
You could remove that user from all the Exchange security groups such as Organization Management, but as a Domain Admin they could easily add themselves back into these groups.

Maybe Active Directory Delegation of Administration could help. Just delegate to them a few OUs where all the users or computer accounts are located. That way they can't access the Exchange Security OU. Never tried it. But only thing I can thing of.
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Active-Directory-Delegation-Administration.html

I would guess SBS isn't set this way but the full version of Exchange also lets you choose to completely separate AD administration from Exchange administration.
0
 
David HaycoxAuthor Commented:
Larry: I'm inclined to agree with you, but it's not my decision here - I'm just implementing it.  Having said that, I can understand the reasons behind trusting a technical admin to reset a password but not trusting the same person with the ability to view the management's confidential emails (possibly about other members of staff).  At the end of the day, if it can't be done on SBS, then so be it.

I will try out the delegation and post back the results.
0
 
Larry Struckmeyer MVPCommented:
Admins need to reset passwords very seldom.  ctrl-alt-del on the workstation brings up a change password button.  If we are discussing the occasions where you wish to lock someone out or the user has somehow forgotten his password, ime that happens very seldom.  If you really can't trust the assistant admin how about your external IT support for those few times that the regular internal admin is not available?
0
 
Cris HannaCommented:
You can add the user to the Server Operators group, but that will not allow access to the SBS console.  But they could reset passwords via users and computers. They could also deal with file and folder permissions.  But they can't create new users
0
 
David HaycoxAuthor Commented:
The AD delegation works well (I just delegated down from the MyBusiness OU), allowing changes to user accounts but nothing involving admin accounts or groups.

I found a group called "Domain Power Users" (not sure if this is a default with Server 2008, SBS2011, or perhaps left over from SBS2003 - in any case it had no members) which is a member of the following groups:

Account Operators
Fax Operators
Folder Operators
Mail Operators
Print Operators
Remote Operators
SharePoint Administrators

I removed "Mail Operators" from the group and make the user in question a member.  I also added "DHCP Administrators", "Backup Operators" and "DnsAdmins" to the group.

This allows the user to administer the AD (in part), DHCP and DNS from their PC or a Remote Desktop server running Remote Server Administration Tools.

I haven't tested the rest yet, will update when have full details.
0
 
Cris HannaCommented:
Just understand that they cannot access the SBS console with this settings and therefore can't create new users.
0
 
David HaycoxAuthor Commented:
Understood; we're after day-to-day admin, it's not that often that we need a new user and there's always plenty of notice when we do.
0
 
David HaycoxAuthor Commented:
We eventually gave up on this; we were trying to go behind the back of the SBS console and wizards (which is usually a bad idea) and so just assigned full admin rights or not depending on the user.

Thanks for the ideas!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now