 You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I need to set up a local group on a Windows 2003 server which allows users in the group to login to the server remotely and complete user administration (add/remove local users). I don't want to add these users to the administration group with full permissions. Only login via terminal services and complete user management.
Any way of doing this. I've created the users and added them to the remote desktop group. I've created my new group for their user admin use. I just need to add the group the relevant permissions.
I'm used to doing this kind of thing in Linux, not Windows. The Googliser is useless and just goes on about adding users as admins or creating groups.
EDIT - The server is not on a domain. Everything is local
Any help would be great
It's been soo long since I setup all that... But this rings bells..
[url= http://social.technet.microsoft.com/Forums/en/windowsserver2008r2rds/thread/f366f2fe-da47-45c9-91fe-517bea8376e7 ][/url]
Cheers Milkie,
The link talks about ensuring the users can login remotely (which they can). I can't see anything about assigning the rights to a group to allow user administration.
The users have remote access without administration rights.
No specific groups exist to do this. You are either an administrator of the server or you are not.
Could try creating an MMC for the users: http://support.microsoft.com/kb/230263
torsoinalake I knew i liked you for a good reason 🙂
The MMC snap-in looks like it will do the job.
Adding them to the Remote Desktop Users local group will allow them to log on, non-administratively. They'll have access to run the Local Users and Groups MMC (or a custom version thereof) but won't be able to use it to create users as they don't have local admin access.
The easy way to do it is to make them local Administrators, as you say. Off the top of my head I can't think of a way granting access to manage users on a standalone server without being local admin. I suppose you could assign local admin rights to their user group and then explicitly deny what you don't want them to do, but that sounds horribly messy and not something I'd want to undertake.
It's a shame it's not on a domain as it's a piece of piss then, you can just delegate control of an OU. They wouldn't even need to RDP to it.
Thanks Cougar, just found out the bit about not being able to add the users using the MMC file during testing.
I think I'm going to have to add their own group as part of administrators and at least there will be a level of accountability if they mess up due to having individual logins.