Re: Server Operator Role

From: Jeff (anonymous_at_discussions.microsoft.com)
Date: 10/06/04 

Date: Wed, 6 Oct 2004 06:03:23 -0700

Ok.. Once again. This is an odd situation. We basically
have a number of users with Domain Admin permissions. We
would like a set of users with access to the servers but
not active directory. The server operator role allows
local log on, shares, printers, permissions, etc.
However, it does not allow access to modify users, user
settings or Group Policy. The problem with Server
Operators is that this is limited to only DCs. We
basically want the users to have the equivelent of the
Server Op role but across the whole domain including the
DCs. We cant give them admin since that allows
modification of the user properties. We have three
policies setup. One on the Domain which is VERY basic.
The second is on the Domain Controllers which allows
various access levels. The last is on the Terminal
Servers. This one is EXTREMELY restictive. Because of
this, the group cannot run the TS Policy. Hope this helps
clear up the situation.

>-----Original Message-----
>I completely misread that one!! I thought we were
talking about DCs <blush>
>
>--
>
>Paul Williams
>
>http://www.msresource.net
>http://forums.msresource.net
>______________________________________
>"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in
message
>news:eN5bo1yqEHA.3428@TK2MSFTNGP11.phx.gbl...
>Making someone a servop over a member server is rather
involved. If you can
>live
>with them being administrators on the member server that
will be
>considerably
>easier and let's face it, having srv ops gives someone
enough power to be
>dangerous on a server anyway so making them admin isn't
much of a step.
>
>Anyway you will want to make them admin on the citrix
servers, not on the
>domain
>controllers. So set the citrix boxes in a special OU and
create a policy for
>that OU that has administrators defined as a restricted
group and add your
>users
>to that policy or some domain local or domain global
group and then add your
>users to that group.
>
> joe
>
>--
>Joe Richards Microsoft MVP Windows Server Directory
Services
>www.joeware.net
>
>
>
>Jeff wrote:
>> I know that the server operator is for domain
controllers
>> only. However, we need to create an account that is
>> essentially the server operator role for all servers
>> including our Citrix farm. I created a test user and
>> added him to a new group. I then blocked that group
from
>> running group policies and added the group to Log On
>> Locally on the machine. He still cannot log in. What
am
>> I missing?
>>
>
>
>.
>

Relevant Pages

  • Re: Administrator Profile corruption
    ... To clear up a few things: On the Friday I rebooted the server and things got ... Administrator logon to see which group policy objects are applied?’ ... concluded that the admin account was completely toasted. ... We ran the user profile Cleanup Hive Service. ...
    (microsoft.public.windows.server.sbs)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... DNS servers. ... Local setting: Admin, SERVICE ...
    (microsoft.public.win2000.group_policy)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... DNS servers. ... Local setting: Admin, SERVICE ...
    (microsoft.public.win2000.group_policy)
  • Re: Secure host newbie - fun - humm
    ... decision, as the admin, whether or not to take down the server. ... Listen, as a security specialist, I *know* that every single box that I, ... some level of risk and that there is no "100% I'm secure" level. ...
    (Security-Basics)
  • Re: Server Operator Role
    ... >domain admin and then keep in mind that a domain admin ... >Joe Richards Microsoft MVP Windows Server Directory ... >> have a number of users with Domain Admin permissions. ... the group cannot run the TS Policy. ...
    (microsoft.public.win2000.active_directory)