Solved

Add user with spesific authority to domain in windows server 2008R2

Posted on 2014-12-23
4
345 Views
Last Modified: 2014-12-30
Hello Expert,
Please we have domain x.com installed on windows server 2008 R2 and all computer are join on this domain. Now we want to some users authority to do their works.
1-      group 1- add user-remove user-reset password for domain user
2-      group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
3-      group3-add new computer to domain
4-      group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
5-      group5-remote desktop for specific user to log in to user computer remotely
6-      group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
Regards
0
Comment
Question by:maryam_adnan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Rob G earned 500 total points
ID: 40515168
You can do some of this with Group Policy, but not all of it.
Most of what you are looking for sounds like you want admin permissions on some users, but not full blown admins, there is 3rd party software out there that will do this, but you can't do it out of the box, without a TON of leg work manually configuring folder permissions and setting them all to not get inherited security settings..

1-      group 1- add user-remove user-reset password for domain user
Currently the only way to do this out of the box is to set these users as domain admins. (Which gives them permissions to everything)


2-      group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
If the permissions are setup in the Policy you will need a domain admin to be able to add users to these groups, if this is done through scripting you can script to add permissions to the folders through the login script, but to do this on the fly, you will need custom VB scripting that contains the domain admin password to access the system to add people to the folders.

3-      group3-add new computer to domain
There is a setting in active directory to allow this as a user, but there is a limitation to 100 computers per user, without full on domain admin access.

4-      group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
You can grant certain people admin access on the local desktops so that they can log into them and install the applications as needed.

5-      group5-remote desktop for specific user to log in to user computer remotely
You can add people into AD under the Remote users/Remote Desktop users permissions, which will allow people to rdp into certain machines. Alternately you can manually add people into certain computers under the same field on the local machine to allow this as well.


6-      group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
You need to purchase RDS or Terminal Server licensing to be able to have multiple sessions on a single server, otherwise only one at a time can log into the system.
0
 

Author Comment

by:maryam_adnan
ID: 40515368
Hello,
Thank you for your reply. Please if there is application can do that let me know the name of it. also if it is easier to accomplish these jobs instead of group policy. that will be great

Regards
0
 
LVL 6

Expert Comment

by:Rob G
ID: 40515386
This will do your permissions things:
http://www.ca.com/us/securecenter/ca-privileged-identity-manager.aspx

But honestly,
for the amount of work, custom development and cost to get everything up and running, why don't you just hire a windows administrator?
0
 

Author Comment

by:maryam_adnan
ID: 40515490
Hello,
Any other ways to do that jobs?

Regards
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question