Re: Admins with limited rights

Hi Roger and Svyatoslav,

thank you for the answers.

Concerning the "all": if I go Svyatoslav's way what would be the
limitations i.e. what would they not be able to do ?

Hardware (i.e. adding drivers) is not an issue scince these are remote
machines and no changes should be made. They need access to the
filesystem, registry, and should be able to install programs and
hotfixes and manage SQL Server and IIS and also be able to reboot.

Thanks in advance.

Alexej Buchholz



On Jul 5, 7:29 pm, "Roger Abell [MVP]" <mvpNoS...@xxxxxxx> wrote:
Hi Slav,

In theory I agree with you, and grin . . .
but the difficult part is the "all" in the poster's specification
<quote>>> give them all rights except:
- having the ability to change the password of Administrator
- having the ability to change own rights

</quote>

Roger

"S. Pidgorny <MVP>" <slavi...@xxxxxxxxx> wrote in messagenews:eLkrxzuvHHA.3364@xxxxxxxxxxxxxxxxxxxxxxx



Can do that with standard feature set on Windows. Make Administrator a
member of Administrators; give admin 2 and 3 rights as required but do NOT
make them a part of administrators.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

*http://sl.mvps.org*http://msmvps.com/blogs/sp*

<cool_r...@xxxxxxxxxxx> wrote in message
news:1183377891.200393.185340@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have the following situation:

1 administrator who has material responsibility
2 administrators who act as assistants

What I would like to do is:

Create 2 accounts: Admin2 and Admin3

give them all rights except:

- having the ability to change the password of Administrator
- having the ability to change own rights

Further Remote Administration through Terminal Services for Remote
Administration should be limited the following way:

Console: only Administrator (direct console or mstsc.exe /console)
Terminal Session (Remote Administration): Administrator, Admin2 or
Admin3

Is it possible to configure the above schema

a) with Active Directory
b) without Active Directory

The server where I want to create this security model is a standalone
Windows Server 2003 R2 SP2 Standart Edition with Remote Desktop for
Administration enabled.

Thanks in advance

Best regards

Alexej Buchholz- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... have many users that are setup so that they can access their ... from the Administrators group, the list of authorized remote users ... Remote tab> Select Remote Users) gets wiped out. ...
    (microsoft.public.windowsxp.security_admin)
  • Offer Remote Assistance - "Permission denied" - Windows XP SP2
    ... We are having problems getting "Offer Remote Assistance" to work in our ... Access this computer from the network MYDOMAIN\Domain Admins,MYDOMAIN\Domain ... Back up files and directories Administrators ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... have many users that are setup so that they can access their ... from the Administrators group, the list of authorized remote users ... Remote tab> Select Remote Users) gets wiped out. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Group Policy - Pushing out Software
    ... I know the way we access users machines using Remote Desktop ... remotely, log on as them and do updates, without ... life easy for 2 administrators keeping 80 users machines updated. ... packages to specific profiles only. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... the Administrators group, the list of authorized remote users (My ... Remote tab> Select Remote Users) gets wiped out. ... You can create/link a new GPO at the appropriate OU where your computers ...
    (microsoft.public.windowsxp.security_admin)