How to setup W2K3 to allow users to manage user accounts without being an admin?
July 24, 2006 12:54 PM Subscribe
I've got a web server that we've just put into our DMZ. I need to be able to grant the web developers the ability to manage user accounts, but I don't want them to be administrators (in other words: regular users who can manage other user accounts: change passwords, create new ones, delete old ones, etc).
Since the machine is in the DMZ, I can't use "Account Operators" since that's a domain group. It appears that members of the Power Users group can maintain accounts, but only the ones that particular user created. I seem to remember doing this in the NT days, but that was a long time ago. :)
The reason is they never created a method of managing content for this box, so I've had to come up with some creative ways of giving them access. They use local box authentication to log in their customers (it's in the works to change all this, but the server had to go in now), and I don't want me or my group to have to maintain these accounts. They set it up wrong, let them do the work. But, since they're developers, I don't want them having admin rights, either.
Anyone? It's close to the end of the day and my Google-Fu has reached its limit for the day...
Since the machine is in the DMZ, I can't use "Account Operators" since that's a domain group. It appears that members of the Power Users group can maintain accounts, but only the ones that particular user created. I seem to remember doing this in the NT days, but that was a long time ago. :)
The reason is they never created a method of managing content for this box, so I've had to come up with some creative ways of giving them access. They use local box authentication to log in their customers (it's in the works to change all this, but the server had to go in now), and I don't want me or my group to have to maintain these accounts. They set it up wrong, let them do the work. But, since they're developers, I don't want them having admin rights, either.
Anyone? It's close to the end of the day and my Google-Fu has reached its limit for the day...
Response by poster: It's not that I don't want to, but that I can't. There's going to be more than one "account operator". If I use Power Users, each one can only manage accounts it creates. So, if a person leaves the company, all the accounts they created become unmanageable except by admins.
Since this doesn't appear to be a policy setting (at least not one that I can find), security templates aren't the answer either as they only provide you with a way of standardizing local policies.
posted by Spoonman at 7:57 AM on July 25, 2006
Since this doesn't appear to be a policy setting (at least not one that I can find), security templates aren't the answer either as they only provide you with a way of standardizing local policies.
posted by Spoonman at 7:57 AM on July 25, 2006
This thread is closed to new comments.
I'm no Windows expert anymore, as my last cert was obtained in 2001.
If you don't want to use the "Power Users" group, you'll probably need to customize the security templates for your box, I think they are located in the Local Computer Policy MMC snap-in.
Here's more complete information:
http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx#ETF
http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en
To access the security snap-ins:
Start/Run/mmc
File/Run/Add/Remove snap-in
I hope it helps!
Daniel
posted by dcrocha at 2:50 PM on July 24, 2006