Wednesday, February 20, 2013 11:33 PM
I have an Windows Server 2012 for testing purposes. I need to configure some kind of user group which has "almost" administrator rights but some. Users of this group should be able to manage the server (installing software, set up services etc.) but I would like to deny some rights (for example - takeover ownership of files).
My goal is to provide server for testing purposes but I want the users give some kind of privacy.
Can you tell me how to accomplish that? Is it necessary to use domain controller?
- Edited by vdolek Wednesday, February 20, 2013 11:42 PM
Thursday, February 21, 2013 10:31 AM
You can do this as a DC or as just a standalone 2012 server. What you need to do is create a group in AD if it is a DC or in local groups if it is a standalone and then open local secrity policy which you should be able to find in admin tools if not run MMC and add it as a snapin.
Once loaded expand local policies and selete user rights assignment this will allow you to add your group into the required policys. As I am unsure of all of your needs I cant go into detail on which policyies you may required for your group.
Thursday, February 21, 2013 11:10 PM
As soon as you give someone the right to install a program, you have basically given them the right to do just about anything they want to do. Installing a program or service requires higher privileges than simply taking ownership of a file.
What you can do is set up auditing of file access. Then if people start accessing the wrong stuff, you institute the salary continuation plan.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, March 04, 2013 9:13 AM