We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Solved
Add user with spesific authority to domain in windows server 2008R2
Posted on 2014-12-23
Hello Expert,
Please we have domain x.com installed on windows server 2008 R2 and all computer are join on this domain. Now we want to some users authority to do their works.
1- group 1- add user-remove user-reset password for domain user
2- group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
3- group3-add new computer to domain
4- group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
5- group5-remote desktop for specific user to log in to user computer remotely
6- group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
Regards
Please we have domain x.com installed on windows server 2008 R2 and all computer are join on this domain. Now we want to some users authority to do their works.
1- group 1- add user-remove user-reset password for domain user
2- group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
3- group3-add new computer to domain
4- group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
5- group5-remote desktop for specific user to log in to user computer remotely
6- group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
Regards
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
2
-
2
4 Comments
You can do some of this with Group Policy, but not all of it.
Most of what you are looking for sounds like you want admin permissions on some users, but not full blown admins, there is 3rd party software out there that will do this, but you can't do it out of the box, without a TON of leg work manually configuring folder permissions and setting them all to not get inherited security settings..
1- group 1- add user-remove user-reset password for domain user
Currently the only way to do this out of the box is to set these users as domain admins. (Which gives them permissions to everything)
2- group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
If the permissions are setup in the Policy you will need a domain admin to be able to add users to these groups, if this is done through scripting you can script to add permissions to the folders through the login script, but to do this on the fly, you will need custom VB scripting that contains the domain admin password to access the system to add people to the folders.
3- group3-add new computer to domain
There is a setting in active directory to allow this as a user, but there is a limitation to 100 computers per user, without full on domain admin access.
4- group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
You can grant certain people admin access on the local desktops so that they can log into them and install the applications as needed.
5- group5-remote desktop for specific user to log in to user computer remotely
You can add people into AD under the Remote users/Remote Desktop users permissions, which will allow people to rdp into certain machines. Alternately you can manually add people into certain computers under the same field on the local machine to allow this as well.
6- group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
You need to purchase RDS or Terminal Server licensing to be able to have multiple sessions on a single server, otherwise only one at a time can log into the system.
Most of what you are looking for sounds like you want admin permissions on some users, but not full blown admins, there is 3rd party software out there that will do this, but you can't do it out of the box, without a TON of leg work manually configuring folder permissions and setting them all to not get inherited security settings..
1- group 1- add user-remove user-reset password for domain user
Currently the only way to do this out of the box is to set these users as domain admins. (Which gives them permissions to everything)
2- group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
If the permissions are setup in the Policy you will need a domain admin to be able to add users to these groups, if this is done through scripting you can script to add permissions to the folders through the login script, but to do this on the fly, you will need custom VB scripting that contains the domain admin password to access the system to add people to the folders.
3- group3-add new computer to domain
There is a setting in active directory to allow this as a user, but there is a limitation to 100 computers per user, without full on domain admin access.
4- group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
You can grant certain people admin access on the local desktops so that they can log into them and install the applications as needed.
5- group5-remote desktop for specific user to log in to user computer remotely
You can add people into AD under the Remote users/Remote Desktop users permissions, which will allow people to rdp into certain machines. Alternately you can manually add people into certain computers under the same field on the local machine to allow this as well.
6- group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
You need to purchase RDS or Terminal Server licensing to be able to have multiple sessions on a single server, otherwise only one at a time can log into the system.
Hello,
Thank you for your reply. Please if there is application can do that let me know the name of it. also if it is easier to accomplish these jobs instead of group policy. that will be great
Regards
Thank you for your reply. Please if there is application can do that let me know the name of it. also if it is easier to accomplish these jobs instead of group policy. that will be great
Regards
This will do your permissions things:
http://www.ca.com/us/securecenter/ca-privileged-identity-manager.aspx
But honestly,
for the amount of work, custom development and cost to get everything up and running, why don't you just hire a windows administrator?
http://www.ca.com/us/securecenter/ca-privileged-identity-manager.aspx
But honestly,
for the amount of work, custom development and cost to get everything up and running, why don't you just hire a windows administrator?
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
- Microsoft Applications
- Windows OS
- Fonts Typography
- Web Browsers
- Microsoft Word
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten.
The USB drive must be s…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
- Windows 10
- Microsoft Legacy OS
- Windows 8
- Windows OS
- Windows 7
- Windows Vista, Windows XP, Windows 2000, *Windows Explorer, *Internet Explorer (IE)
Suggested Courses
Course of the Month7 days, 22 hours left to enroll
610 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.