We help IT Professionals succeed at work.

3rd Party Tools for Windows Server 2019?

High Priority
79 Views
Last Modified: 2019-11-26
We have a new domain setup in a medium-sized company with about 35 employees and 60 computers.
Work assignments are such that there will be 3 people with roles requiring adding new users and setting passwords - at least.

I'm concerned that some of these people may not be well-suited to doing these tasks with a "bare" Windows Server interface.
I see that there are 3rd party tools offered that are supposed to make things easier.

Which ones do you favor?  Why?
Comment
Watch Question

Nathan HawkinsTechnical Lead - Network Security

Commented:
You are being very specific as to what it is that needs managing, so with that said I think Solarwinds provides many Windows AD tools that are more GUI based then the control panel applets in the actual Windows Server GUI's.

Here's a link with many other tools/tool sets for AD:
https://www.ittsystems.com/best-free-active-directory-tools/
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
What is the relationship of the users and user creation to the users with the rights.

The simple thing is for these three regular users to be added to a sevurity group that is then used to delegate user creation, password maintenance on the OU/containers where existing, created users will be ...

rsat installed on their computer will be all that is needed or alternatively have them access a terminal server with ...
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
arnold: The users you ask about, as I understand your question, with the rights, are IT admins.  The entire population of users may include them.

I'm sorry that I'm asking a newbie question.  I understand that RSAT installed on their computer would be all that's needed.  But it raises a related question:
https://www.experts-exchange.com/questions/29156187/Assigning-Rights-in-a-small-domain.html

I'm trying to sensibly apply the principle of least privilege AND my ability to properly select RSAT components is, for now, quite limited.

Nathan Hawkins:  But you have no recommendations or particular good experiences?  My own experience so far has been rather awful so far.  I wasn't pleased with some SolarWinds tools that I tried out - way too many installs.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
You install all rsat components.
The user rights will guide whether the user loged into a workstation can use it.
Consider it as follows, each of these users is given a toolbox with all tools that are under individual lock and key.
Each user is given a key to their toolbox. They key opens only those tools to which you grant access.

I'll take a look at the referenced link.
I.e, making the user a member of a preset existing limited group, server operator, print operator, backup operator, schema admin, etc.versus making each user of do in admin's, enterprise admin

Using GPO you can also assign specific rights to a user, or a group....

Dacacl if not mistaken is one way to check delegation of an ad object.
..
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
arnold:  My problem is that I'm not familiar enough with normally-used permissions / groups to be able to quickly select what's needed.  So, yes, I may be able to make the assignment but the assignment of what specifically is common, useful, etc.  I'd rather not just guess and would value experience of others.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
read your other comment.
You have three sites.
Are there VPN vonnections between among them?

If you structure the domain
Site1
  servers ou
  computers ou
  users ou
Site2
  servers ou
  computers ou
  users ou
Site3
  servers ou
  computers ou
  users ou

You can define a group within each location that will administer the local site resources.

In the prior question many covered the issue starts and effectively ends with the design of the AD forest/domain structure.

Unfortunately, your situation is far more advanced that an initial foray into an AD single location.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

Or is this a separate and distinct from the prior question.

will you have any local servers at each site, at least a DC and a file server?
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
arnold:  All that's handled.  All I'm trying to do is equip the rest of the IT staff with appropriate permissions and tools.

Permissions:  What might be appropriate?

Tools: what might make their lives simpler?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Consider setting up windows admin server. https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/windows-admin-center

This may help using a new management interface.
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Thanks!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.