Solved

Add user with spesific authority to domain in windows server 2008R2

Posted on 2014-12-23
4
326 Views
Last Modified: 2014-12-30
Hello Expert,
Please we have domain x.com installed on windows server 2008 R2 and all computer are join on this domain. Now we want to some users authority to do their works.
1-      group 1- add user-remove user-reset password for domain user
2-      group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
3-      group3-add new computer to domain
4-      group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
5-      group5-remote desktop for specific user to log in to user computer remotely
6-      group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
Regards
0
Comment
Question by:maryam_adnan
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Rob G earned 500 total points
ID: 40515168
You can do some of this with Group Policy, but not all of it.
Most of what you are looking for sounds like you want admin permissions on some users, but not full blown admins, there is 3rd party software out there that will do this, but you can't do it out of the box, without a TON of leg work manually configuring folder permissions and setting them all to not get inherited security settings..

1-      group 1- add user-remove user-reset password for domain user
Currently the only way to do this out of the box is to set these users as domain admins. (Which gives them permissions to everything)


2-      group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
If the permissions are setup in the Policy you will need a domain admin to be able to add users to these groups, if this is done through scripting you can script to add permissions to the folders through the login script, but to do this on the fly, you will need custom VB scripting that contains the domain admin password to access the system to add people to the folders.

3-      group3-add new computer to domain
There is a setting in active directory to allow this as a user, but there is a limitation to 100 computers per user, without full on domain admin access.

4-      group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
You can grant certain people admin access on the local desktops so that they can log into them and install the applications as needed.

5-      group5-remote desktop for specific user to log in to user computer remotely
You can add people into AD under the Remote users/Remote Desktop users permissions, which will allow people to rdp into certain machines. Alternately you can manually add people into certain computers under the same field on the local machine to allow this as well.


6-      group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
You need to purchase RDS or Terminal Server licensing to be able to have multiple sessions on a single server, otherwise only one at a time can log into the system.
0
 

Author Comment

by:maryam_adnan
ID: 40515368
Hello,
Thank you for your reply. Please if there is application can do that let me know the name of it. also if it is easier to accomplish these jobs instead of group policy. that will be great

Regards
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40515386
This will do your permissions things:
http://www.ca.com/us/securecenter/ca-privileged-identity-manager.aspx

But honestly,
for the amount of work, custom development and cost to get everything up and running, why don't you just hire a windows administrator?
0
 

Author Comment

by:maryam_adnan
ID: 40515490
Hello,
Any other ways to do that jobs?

Regards
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now