Re: Win2k3 Server - Add user with local logon and low permissions ?

From: Stuart Mackie [MCP, MSP] (me_at_stu.uk.com*.REMOVE_THIS.*)
Date: 02/02/04 

Date: Mon, 2 Feb 2004 17:25:40 -0000

Hehe thats what I thought. We're not actually giving a user the ability to
do this. We want to have the Win2k3 Server logged in to do various pieces
of work on the server and we're trying to avoid leaving the Domain
Administrator account logged in. So we thought it would have been safer to
user a basic user account, or in this case an account which wasn't the main
Administrator account. Describing it as though we were giving it to a user
seemed the best way to describe the problem.

I just had a look and found the local Administrators group. This will
probably be the best solution sinceit does provide better security than the
the Domain Administrator user or usergroup. Not quite as secure as we would
like but what we're trying to do isn't exactly the norm :)

Thanks for your help,
Stuart.

"Derek Melber [MVP]" <derekm@braincore.net> wrote in message
news:%23SqWWza6DHA.3704@tk2msftngp13.phx.gbl...
> If it were a typical server, then you could add "bob" to the appropriate
> "local group" (IE. Power Users) to give him admin privilege. However, this
> is a DC. So, there is no single local group for this one DC, plus there is
> no Power Users on a DC. However, if you want "bob" to be able to install
> software on the DC only, and you don't mind him also having other
> privileges, you can add "bob" to the Administrators group on the DC (look
in
> Builtin container in AD).
>
> The installation of software is usually a tough one to control on a DC, or
> any server for that matter.
>
> --
> Derek Melber
> "Stuart Mackie [MCP, MSP]" <me@stu.uk.com*.REMOVE_THIS.*> wrote in message
> news:eAvD0tP6DHA.2412@TK2MSFTNGP09.phx.gbl...
> > Thanks for the quick reply. I just want to give this one user the
ability
> > to log on locally to our Win2k3 Server which happens to be a Domain
> > Controller. So if I understand correctly, if 'bob' is a 'Domain User'
and
> > given local logon for this one particular domain controller then his
> > privilidges for this particular machine will only be of basic user level
?
> >
> > If we then wanted to increase this users permission to the Win2k3
Server,
> > for example to allow software to be installed locally (but not domain
> wide),
> > can we increase 'bob's local logon permission for the Win2k3 Server to
> > 'Power User' without increasing his Domain Wide user ? (Hopefully this
> makes
> > sense hehe)
> >
> > Thanks again,
> > Stuart.
> >
> >
> >
> > "Derek Melber [MVP]" <derekm@braincore.net> wrote in message
> > news:uAT1ApP6DHA.2908@tk2msftngp13.phx.gbl...
> > > Stuart,
> > >
> > > Giving a user the "Logon Locally" User right does not give them any
> > "admin"
> > > privileges. So, you can certainly give the user this.
> > >
> > > You do mention you gave this right to the DCs, but do you want to just
> > give
> > > to a specific set of "servers", not the "DCs"? If so, just create an
OU
> > for
> > > the servers, add in the server accounts to the OU, then apply a new
GPO
> > with
> > > the correct "user rights" for the servers. This will include giving
> "bob"
> > > the Logon Locally right.
> > >
> > > If I am missing what you are meaning, please let me know where I am
off
> > > base.
> > >
> > > --
> > > Derek Melber
> > >
> > > "Stuart Mackie [MCP, MSP]" <me@stu.uk.com*.REMOVE_THIS.*> wrote in
> message
> > > news:%23iWwJzL6DHA.2044@TK2MSFTNGP10.phx.gbl...
> > > > Hi. I understand that giving a user local logon to a server is not
> > > > adviseable, but its something that we have to do for a short period
of
> > > time.
> > > >
> > > > If we create a domain user with user name 'bob' and add him to the
DC
> > > group
> > > > policy for local logon, is it possible for us to give bob local
> > > permissions
> > > > on the server of 'standard user' or 'restricted user' as you can do
> with
> > > an
> > > > XP workstation in a domain ? Ideally we want to give 'bob' normal
> > domain
> > > > user rights for mail etc, but only give him standard or restricted
> user
> > > > rights locally on the server. Normally on a workstation you would
do
> > this
> > > > through User Accounts in the control panel but Win2k3 Server doesn't
> > have
> > > > this.
> > > >
> > > > Thanks for any help,
> > > > Stuart.
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Admin Account Stalls on Client Desktops During Logon
    ... Small Business Server 2000 domain controller and client desktop logon with ... The original administrator account has been ... I can of course still login to the Server and login to ...
    (microsoft.public.win2000.active_directory)
  • Admin Account Stalls on Client Desktops During Logon
    ... Small Business Server 2000 domain controller and client desktop logon with ... The original administrator account has been ... I can of course still login to the Server and login ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Administrator Lockout
    ... The local Administrator account is not a member of the local users group. ... So, if this is not a domain controller, you should be able to log onto the ... > logging onto the server localy. ...
    (microsoft.public.windows.server.general)
  • Re: Profile Cannot Load
    ... > server as the domain controller. ... > let the administrator account (network admin) log on to the computer. ...
    (microsoft.public.windows.server.sbs)
  • Local Admin on a Domain Controller
    ... I want to give technicians the ability to manage a server which is also a ... domain controller without giving them any access to the domain itself. ... somehow local administrator privileges on the server. ...
    (microsoft.public.windows.server.active_directory)
Quantcast