none
WDS/BDD 2007 - Principle of Least Privilege - How to configure WDS without Domain Admin privileges? RRS feed

  • Question

  • HI Tim et all,

    I am having an issue with WDS whereby any configuration change is requiring the requestor to be a member of the domain administor's group or else you are prompted with "Access is Denied" message.  The server is running Windows Server 2003 R2 SP2 running WDS in Mixed mode (DHCP and RIS).  The issue we have is that users who are not members of the Domain Administrators group are unable to administer the WDS server properties.

    Whilst the easy way around the issue is to give the users Domain Admin privileges, we are in the challenging position that the customer does not want the third party supplier to have Domain Admin privileges.  Is there a way to configure WDS to allow full administration for WDS without DA privileges?

    To date I have tried the following all to no avail:

    • Local administrators group on WDS server
    • Full permissions to specificed group in AD in the WDS server object
    • Looked at WDS SQL Database and given elevated rights to WDS database

    Event viewer shows the following:

    Object Open:

    Object Server: SC Manager

    Object Type: SERVICE OBJECT

    Object Name: McShield

    Handle ID: -

    Operation ID: {0,3086068}

    Process ID: 468

    Image File Name: C:\WINDOWS\system32\services.exe

    Primary User Name: N24BLDSM01$

    Primary Domain: domainname

    Primary Logon ID: (0x0,0x3E7)

    Client User Name: username

    Client Domain: domainname

    Client Logon ID: (0x0,0x2EBAA1)

    Accesses: Query status of service

    Pause or continue the service

     

    Privileges: -

    Restricted Sid Count: 0

    Access Mask: 0x44

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    Any help would be most appreciated.

    Kind regards,

    Andrew.

    Thursday, June 10, 2010 1:41 PM

Answers

  • You need to grant the user permissions to not just the AD server object, but its children as well. The user needs rights on the SCP (Service Control Point) object for the server which is a child of the computer object. In the AD Users & Computers console, turn on 'advanced' in the view menu, then do the following:

    1. Search for the actual computer.

    2. On the computer name in the results pane, right click->'Properties'. In the 'security' tab, add the user you want to give permissions to.

    3. Give the user 'full' permissions - the user should have permissions for creating, deleting and changing all child objects.

    Let me know if that solves your problem.

     

     

     


    Ajay Bhat, SDET, Windows Deployment Services, Microsoft
    Thursday, June 10, 2010 6:39 PM
    Moderator

All replies

  • You need to grant the user permissions to not just the AD server object, but its children as well. The user needs rights on the SCP (Service Control Point) object for the server which is a child of the computer object. In the AD Users & Computers console, turn on 'advanced' in the view menu, then do the following:

    1. Search for the actual computer.

    2. On the computer name in the results pane, right click->'Properties'. In the 'security' tab, add the user you want to give permissions to.

    3. Give the user 'full' permissions - the user should have permissions for creating, deleting and changing all child objects.

    Let me know if that solves your problem.

     

     

     


    Ajay Bhat, SDET, Windows Deployment Services, Microsoft
    Thursday, June 10, 2010 6:39 PM
    Moderator
  • HI Ajay,

    That seems to have worked for my initial testing - just getting the third party supplier to test and confirm! :-)

    Andrew.

    Friday, June 11, 2010 7:40 AM