Admins with limited rights

Admins with limited rights
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Admins with limited rights cool_runn 07-02-2007
Posted by on July 2, 2007, 8:04 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

I have the following situation:

1 administrator who has material responsibility
2 administrators who act as assistants

What I would like to do is:

Create 2 accounts: Admin2 and Admin3

give them all rights except:

- having the ability to change the password of Administrator
- having the ability to change own rights


Further Remote Administration through Terminal Services for Remote
Administration should be limited the following way:

Console: only Administrator (direct console or mstsc.exe /console)
Terminal Session (Remote Administration): Administrator, Admin2 or
Admin3

Is it possible to configure the above schema

a) with Active Directory
b) without Active Directory

The server where I want to create this security model is a standalone
Windows Server 2003 R2 SP2 Standart Edition with Remote Desktop for
Administration enabled.

Thanks in advance

Best regards

Alexej Buchholz


Posted by Roger Abell [MVP] on July 3, 2007, 1:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Members of Administrators are equal (although the built-in
has some diffs), and any attempt to change that can be reversed
by those one attempts to limit.

Assuming those with the "limited" admin accounts can be
trusted to not attempt to change their limitations, then the
question becomes, can one do the specific limitations you
have outlined. For each of those mentioned limitations
I can think of no way to effect them, with or without AD.
One could use ACLs on user objects in AD to do the first
set but you would end up limiting more than just the specific
"do not change" items you mentioned.

Roger

> Hi,
>
> I have the following situation:
>
> 1 administrator who has material responsibility
> 2 administrators who act as assistants
>
> What I would like to do is:
>
> Create 2 accounts: Admin2 and Admin3
>
> give them all rights except:
>
> - having the ability to change the password of Administrator
> - having the ability to change own rights
>
>
> Further Remote Administration through Terminal Services for Remote
> Administration should be limited the following way:
>
> Console: only Administrator (direct console or mstsc.exe /console)
> Terminal Session (Remote Administration): Administrator, Admin2 or
> Admin3
>
> Is it possible to configure the above schema
>
> a) with Active Directory
> b) without Active Directory
>
> The server where I want to create this security model is a standalone
> Windows Server 2003 R2 SP2 Standart Edition with Remote Desktop for
> Administration enabled.
>
> Thanks in advance
>
> Best regards
>
> Alexej Buchholz
>



Posted by S. Pidgorny on July 5, 2007, 6:11 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Can do that with standard feature set on Windows. Make Administrator a
member of Administrators; give admin 2 and 3 rights as required but do NOT
make them a part of administrators.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> Hi,
>
> I have the following situation:
>
> 1 administrator who has material responsibility
> 2 administrators who act as assistants
>
> What I would like to do is:
>
> Create 2 accounts: Admin2 and Admin3
>
> give them all rights except:
>
> - having the ability to change the password of Administrator
> - having the ability to change own rights
>
>
> Further Remote Administration through Terminal Services for Remote
> Administration should be limited the following way:
>
> Console: only Administrator (direct console or mstsc.exe /console)
> Terminal Session (Remote Administration): Administrator, Admin2 or
> Admin3
>
> Is it possible to configure the above schema
>
> a) with Active Directory
> b) without Active Directory
>
> The server where I want to create this security model is a standalone
> Windows Server 2003 R2 SP2 Standart Edition with Remote Desktop for
> Administration enabled.
>
> Thanks in advance
>
> Best regards
>
> Alexej Buchholz
>



Posted by Roger Abell [MVP] on July 5, 2007, 1:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Slav,

In theory I agree with you, and grin . . .
but the difficult part is the "all" in the poster's specification
<quote>
>> give them all rights except:
>> - having the ability to change the password of Administrator
>> - having the ability to change own rights
</quote>

Roger

> Can do that with standard feature set on Windows. Make Administrator a
> member of Administrators; give admin 2 and 3 rights as required but do NOT
> make them a part of administrators.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>> Hi,
>>
>> I have the following situation:
>>
>> 1 administrator who has material responsibility
>> 2 administrators who act as assistants
>>
>> What I would like to do is:
>>
>> Create 2 accounts: Admin2 and Admin3
>>
>> give them all rights except:
>>
>> - having the ability to change the password of Administrator
>> - having the ability to change own rights
>>
>>
>> Further Remote Administration through Terminal Services for Remote
>> Administration should be limited the following way:
>>
>> Console: only Administrator (direct console or mstsc.exe /console)
>> Terminal Session (Remote Administration): Administrator, Admin2 or
>> Admin3
>>
>> Is it possible to configure the above schema
>>
>> a) with Active Directory
>> b) without Active Directory
>>
>> The server where I want to create this security model is a standalone
>> Windows Server 2003 R2 SP2 Standart Edition with Remote Desktop for
>> Administration enabled.
>>
>> Thanks in advance
>>
>> Best regards
>>
>> Alexej Buchholz
>>
>
>



Posted by on July 6, 2007, 3:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Roger and Svyatoslav,

thank you for the answers.

Concerning the "all": if I go Svyatoslav's way what would be the
limitations i.e. what would they not be able to do ?

Hardware (i.e. adding drivers) is not an issue scince these are remote
machines and no changes should be made. They need access to the
filesystem, registry, and should be able to install programs and
hotfixes and manage SQL Server and IIS and also be able to reboot.

Thanks in advance.

Alexej Buchholz



> Hi Slav,
>
> In theory I agree with you, and grin . . .
> but the difficult part is the "all" in the poster's specification
> <quote>>> give them all rights except:
> >> - having the ability to change the password of Administrator
> >> - having the ability to change own rights
>
> </quote>
>
> Roger
>
>
>
>
> > Can do that with standard feature set on Windows. Make Administrator a
> > member of Administrators; give admin 2 and 3 rights as required but do NOT
> > make them a part of administrators.
>
> > --
> > Svyatoslav Pidgorny, MS MVP - Security, MCSE
> > -= F1 is the key =-
>
> > *http://sl.mvps.org*http://msmvps.com/blogs/sp*
>
> >> Hi,
>
> >> I have the following situation:
>
> >> 1 administrator who has material responsibility
> >> 2 administrators who act as assistants
>
> >> What I would like to do is:
>
> >> Create 2 accounts: Admin2 and Admin3
>
> >> give them all rights except:
>
> >> - having the ability to change the password of Administrator
> >> - having the ability to change own rights
>
> >> Further Remote Administration through Terminal Services for Remote
> >> Administration should be limited the following way:
>
> >> Console: only Administrator (direct console or mstsc.exe /console)
> >> Terminal Session (Remote Administration): Administrator, Admin2 or
> >> Admin3
>
> >> Is it possible to configure the above schema
>
> >> a) with Active Directory
> >> b) without Active Directory
>
> >> The server where I want to create this security model is a standalone
> >> Windows Server 2003 R2 SP2 Standart Edition with Remote Desktop for
> >> Administration enabled.
>
> >> Thanks in advance
>
> >> Best regards
>
> >> Alexej Buchholz- Hide quoted text -
>
> - Show quoted text -



Similar ThreadsPosted
Giving admins Local Admin to DC's not Domain Admins August 15, 2008, 4:48 pm
Limited Users / No AV software --How Safe December 29, 2005, 7:22 pm
registry hacked under XP limited account May 28, 2005, 6:02 am
how to restrict limited user only visiting several websites July 1, 2006, 10:34 pm
Creating a very limited user account to run a service September 6, 2006, 11:04 am
NEW IPHONE VIDEO PROJECTOR PROTOTYPE NOW AVAILABLE LIMITED EDITION December 3, 2008, 12:49 am
users and local Admins November 5, 2006, 5:27 am
Only domain admins can install? November 11, 2008, 3:10 pm
Security: Network Admins vs. SQL Programmers May 23, 2006, 3:47 pm
What is the best way to restrict access to Domain Admins on certain folders? March 19, 2008, 10:31 am

The site map in XML format XML site map

Contact Us | Privacy Policy