Restricting built-in groups

G

Guest

Hello
I'd like to give pemission to a domain user at a remote site to be able to
log on locally at a server and shut it down (or restart) and be able to reset
passwords/unlock accounts etc for other users in just the OU that she is a
member of. Account Operators and Server Operators built-in groups seem to be
the way to go but they will also allow the user to do many other functions
that breach our security. How can I restrict the user to just the functions I
require ??

Thanks for your advice
 
J

Jorge de Almeida Pinto [MVP]

OK, step by step:
ANSWER: Assuming you are not talking about a domain controller, but instead
a member server.
If I'm correct each user already has ALLOW LOGON locally for each server.
For the user to be able to logon through terminal services make the user a
member of the local group "remote desktop users" on the server. For the user
to be able to shutdown and restart the server give the user the user right
called "shutdown the system".
ANSWER: for that see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx number 3
and 6. The permissions mentioned there are assigned on the OU and for that
you could use the delegation of control wizard

Instead of assigning the permission to the specific user, it is better to
use a global group in AD and make the user a member of that group. If in the
future someone else will do the same stuff you only need to change the
membership of the group

Are these the answers you need?
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
G

Guest

Thanks for your reply

"Remote desktop users" local group is a Windows 2003 feature ?? I'm using
Windows 2000. One of the servers the remote user will need to shutdown is a
domain controller. Will that make a difference ??

Cheers, Gary
 
J

Jorge de Almeida Pinto [MVP]

you never mentioned the OS of the server and I assumend w2k3

for that you need to install TS in admin mode and if my memory serves me
right you need to assign the user the user right to logon through TS and
assign the user the correct permission on the RDP protocol (available
through one of the TS tool in the administrative tools if I'm correct)
I would never allow a user logon to a DC and shut it down. Within an AD
environment DCs are the most important computers and only highly trusted and
skilled people should work with those! But that is my opinion!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Rights -Account Operators 1
Account Operators 1
group rights 2
is it possible to change the name of the built in groups? 1
groups and OU's in ad 3
Unlock acct permissions 13
Can't view built-in groups in a remote domain 3

Top