Add user with spesific authority to domain in windows server 2008R2

Hello Expert,
Please we have domain x.com installed on windows server 2008 R2 and all computer are join on this domain. Now we want to some users authority to do their works.
1-      group 1- add user-remove user-reset password for domain user
2-      group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
3-      group3-add new computer to domain
4-      group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
5-      group5-remote desktop for specific user to log in to user computer remotely
6-      group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
Regards
maryam_adnanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob GMicrosoft Systems EngineerCommented:
You can do some of this with Group Policy, but not all of it.
Most of what you are looking for sounds like you want admin permissions on some users, but not full blown admins, there is 3rd party software out there that will do this, but you can't do it out of the box, without a TON of leg work manually configuring folder permissions and setting them all to not get inherited security settings..

1-      group 1- add user-remove user-reset password for domain user
Currently the only way to do this out of the box is to set these users as domain admins. (Which gives them permissions to everything)


2-      group2-add folder shearing and remove folder shearing for specific users in domain and give or remove authority for user to join specific folders
If the permissions are setup in the Policy you will need a domain admin to be able to add users to these groups, if this is done through scripting you can script to add permissions to the folders through the login script, but to do this on the fly, you will need custom VB scripting that contains the domain admin password to access the system to add people to the folders.

3-      group3-add new computer to domain
There is a setting in active directory to allow this as a user, but there is a limitation to 100 computers per user, without full on domain admin access.

4-      group4-install and uninstall application on user account. Because all user have no authority so I need to give specific group to install application for users
You can grant certain people admin access on the local desktops so that they can log into them and install the applications as needed.

5-      group5-remote desktop for specific user to log in to user computer remotely
You can add people into AD under the Remote users/Remote Desktop users permissions, which will allow people to rdp into certain machines. Alternately you can manually add people into certain computers under the same field on the local machine to allow this as well.


6-      group6-remote desktop for specific user to log in to server at same time (multi-user join to server at same time) now if one user is log in when second user try to log in the first one must log out
Any documents or step by step to accomplish this jobs
You need to purchase RDS or Terminal Server licensing to be able to have multiple sessions on a single server, otherwise only one at a time can log into the system.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
maryam_adnanAuthor Commented:
Hello,
Thank you for your reply. Please if there is application can do that let me know the name of it. also if it is easier to accomplish these jobs instead of group policy. that will be great

Regards
0
Rob GMicrosoft Systems EngineerCommented:
This will do your permissions things:
http://www.ca.com/us/securecenter/ca-privileged-identity-manager.aspx

But honestly,
for the amount of work, custom development and cost to get everything up and running, why don't you just hire a windows administrator?
0
maryam_adnanAuthor Commented:
Hello,
Any other ways to do that jobs?

Regards
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.