Reputation: 11
Can we access all Servers within our Domain with specific rights whilst not being part of domain admin?
I am a Rookie and I am sure that I am missing something very basic but don't know where to look for and how to start. I need some help and guidance around how to set up user access with restricted permissions. End Goal for me is to have an AD account that has access to logon to all servers within a particular domain with rights to check event viewer logs and start and stop services running on the server. I don't want to add this account to Domain Admin or Administrators group. After reading a bit I have tried creating a separate group and delegated some rights for the group on an OU (where all our Servers are) and added the user account to this group. The user still cannot log in to any servers within that OU. I also want to automate this task using Powershell :) Regards,
Upvotes: 1
Views: 195
Answers (1)
Reputation: 13473
Allowing non-admin users the rights to log in to a machine remotely is easy, simply add the AD group to the local Remote Desktop Users group. This is likely the crux of your current issues.
Similarly, you don't have to be a Domain Admin in order to be in the Local Administrators group. You can use group policy to configure and add another AD group to the Local Administrators group, thereby limiting the number of Domain Admins and restricting the capabilities of the users in the group. Note: Adding people to the Local Administrators group automatically grants them remote logon which would negate the need to also add them to the Remote Desktop Users group.
In order to read Event Logs simply add the group to the Event Log Readers group.
Allowing Non-Administrators to start stop services is much harder because you have to manually set ACL permissions to start stop services on each service individually See: Set permissions to start stop services
The easiest method is to use the SubInACL tool:
Setting Service Permissions Using SubInACL Tool
- Download subinacl.msi and install it in the target system
In the elevated command prompt, go to the directory containing the tool:
cd "C:\Program Files (x86)\Windows Resource Kits\Tools\"Run the command:
subinacl.exe /service MyServiceName /grant=contoso\JSmith=PTO
Upvotes: 2
Related Questions
- Is there a way to check an arbitrary security principal for Administrative rights on a local serverwith PowerShell?
- How do I run powershell scripts without admin rights?
- Local Adminstrator groups in Powershell from remote system
- Using powershell I'd like to get a list of people who have admin privileges for a domain?
- Security permissions of an OU
- Language independent way to find all the users with admin access to a computer via powershell
- What rights are necessary to enter a PSSession with a DC?
- Test admin rights within PowerShell script?
- PowerShell and checking local administrator rights
- Powershell - Invoke command access denied while not running under domain admin account