Issue in Remote Login & delegating permissions

Dear Experts,

In my environment AD is configured in Windows server 2012 and also exchange 2013 is also installed . I need to give some rights to 5-10 users. Rights are creating users , editing , deleting , password reset ,create new mail id's or do the editing in exchange server and also create new group policy. I don't want to give them the full admin rights.

My second question is when i am trying to connect the remote server through one of the domain user i get the below error;-

“To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or  if the right has been removed from the Administrators group, you need to be granted the right manually.”

Regards,
JCT
LVL 1
jct_777Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
What is remote server, it is dc?

Add required user to recipient management group in ad, this will allow that user creating / removing mailboxes and manage other exchange specific attributes

Also add same user to "Accounts Operators" built-in ad group so that he can manage / create / delete users
If this is wide open, then use delegation of authority wizard in ad and grant password reset or any other permissions
U will find lot articles to delegate rights

Last question:
The remote server is dc?
If no, edit local security policy on server and grant user "allow logon thru remote desktop services" user right, also add there domain admins and administrators group
If this is dc, then do same policy settings under default domain controller policy
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jct_777Author Commented:
Hi,

I don't want to add them to the Accounts Operators built in group. Can we just give some delegation rights to those users.
Also the remote server is a a DC.

Regards,

JCT
0
jct_777Author Commented:
Hi ,

Attached image contains the error  when I am trying to login as a domain user  to the remote server i.e. Domain Controller.

Regards,

JCT
Remote-error.JPG
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

yo_beeDirector of Information TechnologyCommented:
You can install RSAT on the 5-10 user machines.  This will give them the ADUC.msc which will give the. access to the objects in AD.   You still need to delegate rights for this.   This could  be to the entire domain or specific OU's.  

Here are some links that can help.
Here are 2 link to RSAT (Windows 7 and Windows 10).
Windows 7
https://www.microsoft.com/en-us/download/details.aspx?id=7887

Windows 10
https://www.microsoft.com/en-us/download/details.aspx?id=45520

How to delicate access to AD.
http://www.grouppolicy.biz/2010/09/how-to-delegate-ad-permission-to-organisational-units-using-the-powershell-command-add-qadpermission/


For the Exchange part you can install the EMC tools like RSAT tools, but you will need to add these 5-10 users to the default Recipient Management Role Base group.  

If you setup these tools and rights these users should be able to administer AD and Exchange without having to remote directly on to any server.
0
jct_777Author Commented:
Hi ,

I will do the testing & will keep you updated.

Regards,
JCT
0
yo_beeDirector of Information TechnologyCommented:
The RSAT is a multiple step process.
Step 1: install the RSAT msu file.
Step 2: control panel | Program and Features | Features | select the proper tools you need.

[embed=file 1288042]

[embed=file 1288043]
2018-03-19_8-11-24.png
2018-03-19_8-12-25.png
0
jct_777Author Commented:
Got solved.
REgards,

JCT
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.