http://ask.metafilter.com/42845/How-to-setup-W2K3-to-allow-users-to-manage-user-accounts-without-being-an-admin/ Comments on Ask MetaFilter post How to setup W2K3 to allow users to manage user accounts without being an admin? Mon, 24 Jul 2006 14:50:52 -0800 Mon, 24 Jul 2006 14:50:52 -0800 en-us http://blogs.law.harvard.edu/tech/rss 60 http://ask.metafilter.com/42845/How-to-setup-W2K3-to-allow-users-to-manage-user-accounts-without-being-an-admin I've got a web server that we've just put into our DMZ. I need to be able to grant the web developers the ability to manage user accounts, but I don't want them to be administrators (in other words: regular users who can manage other user accounts: change passwords, create new ones, delete old ones, etc). <br /><br /> Since the machine is in the DMZ, I can't use "Account Operators" since that's a domain group. It appears that members of the Power Users group can maintain accounts, but only the ones that particular user created. I seem to remember doing this in the NT days, but that was a long time ago. :)<br> <br> The reason is they never created a method of managing content for this box, so I've had to come up with some creative ways of giving them access. They use local box authentication to log in their customers (it's in the works to change all this, but the server had to go in now), and I don't want me or my group to have to maintain these accounts. They set it up wrong, let them do the work. But, since they're developers, I don't want them having admin rights, either.<br> <br> Anyone? It's close to the end of the day and my Google-Fu has reached its limit for the day... post:ask.metafilter.com,2008:site.42845 Mon, 24 Jul 2006 12:54:35 -0800 Spoonman users accounts management windows server http://ask.metafilter.com/42845/How-to-setup-W2K3-to-allow-users-to-manage-user-accounts-without-being-an-admin#658473 Hi,<br> <br> I'm no Windows expert anymore, as my last cert was obtained in 2001. <br> <br> If you don't want to use the &quot;Power Users&quot; group, you'll probably need to customize the security templates for your box, I think they are located in the Local Computer Policy MMC snap-in. <br> <br> Here's more complete information:<br> <br> <a href="http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html">http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html</a><br> <a href="http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx#ETF">http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx#ETF</a><br> <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&amp;displaylang=en</a><br> <br> To access the security snap-ins:<br> <br> Start/Run/mmc<br> File/Run/Add/Remove snap-in<br> <br> I hope it helps!<br> Daniel comment:ask.metafilter.com,2008:site.42845-658473 Mon, 24 Jul 2006 14:50:52 -0800 dcrocha http://ask.metafilter.com/42845/How-to-setup-W2K3-to-allow-users-to-manage-user-accounts-without-being-an-admin#659226 It's not that I don't want to, but that I can't. There's going to be more than one &quot;account operator&quot;. If I use Power Users, each one can only manage accounts it creates. So, if a person leaves the company, all the accounts they created become unmanageable except by admins.<br> <br> Since this doesn't appear to be a policy setting (at least not one that I can find), security templates aren't the answer either as they only provide you with a way of standardizing local policies. comment:ask.metafilter.com,2008:site.42845-659226 Tue, 25 Jul 2006 07:57:00 -0800 Spoonman