Giving users/groups specific administrative privilages

By Seizure1990
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

Seizure1990

Posted
Posted

hey guys.

 

I'm managing a Windows 2012 server, and because of the way the organization I work for functions, adding/deleting/changing users is a relatively common occurrence. In addition to this, neither I, nor the other technician are full-time so the management has requested the ability to manage accounts themselves.

 

In theory, this seems relatively easily. We can just set them up with RDP access and let them have it. But this obviously has a few downsides. We were hoping there was a way to set fine-grained controls, such that the staff could ONLY manage our Active Directory system, and nothing else. I promise I tried googling this issue, but either documentation on such functionality is well hidden, or I'm using all the wrong keywords.

 

Additionally, I heard there was a Server Management App that let you connect remotely from a client PC, and manage all the options and such without having a full-blown screen-sharing session. Can anyone tell me about this/redirect me to where it is?

 

Thanks in advance for any help.

Link to comment
Share on other sites
Collaborator

DaveGreen93

Posted
Posted

You can install Remote Server Administration Tools (http://www.microsoft.com/en-us/download/details.aspx?id=7887) on the client computer. When you go into Turn Features on and off you can choose which tools they can use, e.g. Active Directory, Group Policy, DNS...

 

Hopefully this is what you need.

Link to comment
Share on other sites
Grand Master

Seizure1990

Posted
  • Author
Posted

Thanks, I will look into this. This is a client-based solution though, correct? If they had admin-access, or if they installed this app on their own computer, couldn't they just add features at will?

 

This solution will work just fine, since our problem is more to do with preventing accidents, I think, rather then purposeful attempts to mess up our system, so I doubt anyone would go and add the features even if they could. However, if there is a server user-rights based solution that will effectively lock off certain functionality regardless of client setup, that would also be nice to know about.

 

But again, thanks for the help! The solution you showed me is definitely workable.

 

Edit: I just noticed this only works on computers with Professional or above, Home Premium isn't allowed. We are a small organization so this may or may not be an issue. I'm sure I can rustle up some laptops with the right edition of Windows, but are there any other ways about this, so that someone could even manage the server from their home computer if needed?

Link to comment
Share on other sites
Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

You cannot join a computer to a domain without professional.  You can't logon to a domain and get policies pushed to the computers without having professional.  While you will be able to get to shares, it is very counter productive to have a domain in that case...you might as well just have sharing enabled on a computer to achieve what you are looking to do.  the whole point of AD is central user and computer management.  Why would you have home premium on a AD domain is beyond me...recommending this solution is, well, not recommended.

 

here is some good reading for you:

http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx

http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing