| Author |
Message |
Madjid
Guest
|
 Posted:
Mon Oct 03, 2005 12:50 pm Post subject:
How to give “View” access to all my servers in my domai |
|
|
Hi all
I need help with this one. It’s a crazy one.
I need to give “View” access to all my servers in my domain, to a few people.
So basically, these people should be able to login to all my servers,
including my domain controllers and be able to see and browse all the
resources without being able to change any settings or destroy anything for
me.
I have done the following.
- Created a domain user account called “MR.X”
- Put MR.X in the local “Remote Desktop User” group
By this, I accomplished giving the user logon rights and also being able to
look around in most of the places, but for DNS, WIND and DHCP, I need to give
the user separate access and permissions. But in this way, the user has more
rights than I would like him to have.
And also my biggest problem is to make this user able to log on to my domain
controllers.
Is this anything that MS has thought about?
Is there an easy way to give people (IT managers and so on) access to look
but not to touch?
Any one who knows how to fix this problem?
Regards
Madjid |
|
| Back to top |
|
 |
Roger Abell [MVP]
Guest
|
| Posted:
Tue Oct 04, 2005 8:51 am Post subject:
Re: How to give "View" access to all my servers in my domain |
|
|
and . . . after you address "DNS, WIND and DHCP" (wins ?) the
current issues, then you will find that they want to review the metabase
of IIS, the COM+ component config, AD at an AdsiEdit level, . . .
where will it end ??
as for making it possible for a non-admin to log into a DC, that is no
problem whatsoever - just grant then the log in locally right for DCs
in a DC OU linked GPO, and grant RDP login
It seems to me that the problem is not solvable, except by addressing
it directly and getting them to understand that they are not sufficiently
knowlegable to make use of the access they are demanding (or, if
they are, then what is the problem with trusting them?)
"Madjid" <Madjid@discussions.microsoft.com> wrote in message
news:39BE8654-255E-4CB1-8912-08EEFFCD9220@microsoft.com...
| Quote: | Hi all
I need help with this one. It's a crazy one.
I need to give "View" access to all my servers in my domain, to a few
people.
So basically, these people should be able to login to all my servers,
including my domain controllers and be able to see and browse all the
resources without being able to change any settings or destroy anything
for
me.
I have done the following.
- Created a domain user account called "MR.X"
- Put MR.X in the local "Remote Desktop User" group
By this, I accomplished giving the user logon rights and also being able
to
look around in most of the places, but for DNS, WIND and DHCP, I need to
give
the user separate access and permissions. But in this way, the user has
more
rights than I would like him to have.
And also my biggest problem is to make this user able to log on to my
domain
controllers.
Is this anything that MS has thought about?
Is there an easy way to give people (IT managers and so on) access to look
but not to touch?
Any one who knows how to fix this problem?
Regards
Madjid
|
|
|
| Back to top |
|
|
Madjid
Guest
|
| Posted:
Tue Oct 04, 2005 8:51 pm Post subject:
Re: How to give "View" access to all my servers in my domain |
|
|
Hi Roger
It’s not a matter of trust. The problem is that these guys’ ore customers
and they just want to have this ability to look at their own servers. Somehow
I can understand their need of keeping truck of what is happening and that
they also need this control for moving the business forward.
But they do probably not want to be blamed for anything in case of, and
that’s why they don’t want to be able to change anything.
However, I am starting to see that this is not an easy task. But I am still
interested to know if anyone else has succeeded in doing it.
Regards
Madjid
"Roger Abell [MVP]" skrev:
| Quote: | and . . . after you address "DNS, WIND and DHCP" (wins ?) the
current issues, then you will find that they want to review the metabase
of IIS, the COM+ component config, AD at an AdsiEdit level, . . .
where will it end ??
as for making it possible for a non-admin to log into a DC, that is no
problem whatsoever - just grant then the log in locally right for DCs
in a DC OU linked GPO, and grant RDP login
It seems to me that the problem is not solvable, except by addressing
it directly and getting them to understand that they are not sufficiently
knowlegable to make use of the access they are demanding (or, if
they are, then what is the problem with trusting them?)
"Madjid" <Madjid@discussions.microsoft.com> wrote in message
news:39BE8654-255E-4CB1-8912-08EEFFCD9220@microsoft.com...
Hi all
I need help with this one. It's a crazy one.
I need to give "View" access to all my servers in my domain, to a few
people.
So basically, these people should be able to login to all my servers,
including my domain controllers and be able to see and browse all the
resources without being able to change any settings or destroy anything
for
me.
I have done the following.
- Created a domain user account called "MR.X"
- Put MR.X in the local "Remote Desktop User" group
By this, I accomplished giving the user logon rights and also being able
to
look around in most of the places, but for DNS, WIND and DHCP, I need to
give
the user separate access and permissions. But in this way, the user has
more
rights than I would like him to have.
And also my biggest problem is to make this user able to log on to my
domain
controllers.
Is this anything that MS has thought about?
Is there an easy way to give people (IT managers and so on) access to look
but not to touch?
Any one who knows how to fix this problem?
Regards
Madjid
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Wed Oct 05, 2005 12:50 am Post subject:
Re: How to give "View" access to all my servers in my domain |
|
|
You may want to look at adding them to the groups DHCP users and wins users.
For dns open the Management Console for DNS and for the servers there give
those users or group read permissions in properties/security to see if that
helps. --- Steve
"Madjid" <Madjid@discussions.microsoft.com> wrote in message
news:39BE8654-255E-4CB1-8912-08EEFFCD9220@microsoft.com...
| Quote: | Hi all
I need help with this one. It's a crazy one.
I need to give "View" access to all my servers in my domain, to a few
people.
So basically, these people should be able to login to all my servers,
including my domain controllers and be able to see and browse all the
resources without being able to change any settings or destroy anything
for
me.
I have done the following.
- Created a domain user account called "MR.X"
- Put MR.X in the local "Remote Desktop User" group
By this, I accomplished giving the user logon rights and also being able
to
look around in most of the places, but for DNS, WIND and DHCP, I need to
give
the user separate access and permissions. But in this way, the user has
more
rights than I would like him to have.
And also my biggest problem is to make this user able to log on to my
domain
controllers.
Is this anything that MS has thought about?
Is there an easy way to give people (IT managers and so on) access to look
but not to touch?
Any one who knows how to fix this problem?
Regards
Madjid
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Wed Oct 05, 2005 7:34 am Post subject:
Re: How to give "View" access to all my servers in my domain |
|
|
Hi Madjid
I can see the business case, now that you have opened my eyes
beyond this being a corp internal audit type of need.
I believe that the best you will be able to come up with is to have
some reporting that summarizes all that is of interest but that cannot
be granted without over-allocation of privilege, and there definitely
be a number of such areas.
Roger
"Madjid" <Madjid@discussions.microsoft.com> wrote in message
news:FEB2D244-A86B-464B-AD69-F1CA63836259@microsoft.com...
| Quote: | Hi Roger
It's not a matter of trust. The problem is that these guys' ore customers
and they just want to have this ability to look at their own servers.
Somehow
I can understand their need of keeping truck of what is happening and that
they also need this control for moving the business forward.
But they do probably not want to be blamed for anything in case of, and
that's why they don't want to be able to change anything.
However, I am starting to see that this is not an easy task. But I am
still
interested to know if anyone else has succeeded in doing it.
Regards
Madjid
"Roger Abell [MVP]" skrev:
and . . . after you address "DNS, WIND and DHCP" (wins ?) the
current issues, then you will find that they want to review the metabase
of IIS, the COM+ component config, AD at an AdsiEdit level, . . .
where will it end ??
as for making it possible for a non-admin to log into a DC, that is no
problem whatsoever - just grant then the log in locally right for DCs
in a DC OU linked GPO, and grant RDP login
It seems to me that the problem is not solvable, except by addressing
it directly and getting them to understand that they are not sufficiently
knowlegable to make use of the access they are demanding (or, if
they are, then what is the problem with trusting them?)
"Madjid" <Madjid@discussions.microsoft.com> wrote in message
news:39BE8654-255E-4CB1-8912-08EEFFCD9220@microsoft.com...
Hi all
I need help with this one. It's a crazy one.
I need to give "View" access to all my servers in my domain, to a few
people.
So basically, these people should be able to login to all my servers,
including my domain controllers and be able to see and browse all the
resources without being able to change any settings or destroy anything
for
me.
I have done the following.
- Created a domain user account called "MR.X"
- Put MR.X in the local "Remote Desktop User" group
By this, I accomplished giving the user logon rights and also being
able
to
look around in most of the places, but for DNS, WIND and DHCP, I need
to
give
the user separate access and permissions. But in this way, the user has
more
rights than I would like him to have.
And also my biggest problem is to make this user able to log on to my
domain
controllers.
Is this anything that MS has thought about?
Is there an easy way to give people (IT managers and so on) access to
look
but not to touch?
Any one who knows how to fix this problem?
Regards
Madjid
|
|
|
| Back to top |
|
|
Madjid
Guest
|
| Posted:
Wed Oct 05, 2005 12:50 pm Post subject:
Re: How to give "View" access to all my servers in my domain |
|
|
Thank You al for your help.
I will do my best to stop this from happening :) since there is no easy way
to do it.
Regards
/M
"Steven L Umbach" skrev:
| Quote: | You may want to look at adding them to the groups DHCP users and wins users.
For dns open the Management Console for DNS and for the servers there give
those users or group read permissions in properties/security to see if that
helps. --- Steve
"Madjid" <Madjid@discussions.microsoft.com> wrote in message
news:39BE8654-255E-4CB1-8912-08EEFFCD9220@microsoft.com...
Hi all
I need help with this one. It's a crazy one.
I need to give "View" access to all my servers in my domain, to a few
people.
So basically, these people should be able to login to all my servers,
including my domain controllers and be able to see and browse all the
resources without being able to change any settings or destroy anything
for
me.
I have done the following.
- Created a domain user account called "MR.X"
- Put MR.X in the local "Remote Desktop User" group
By this, I accomplished giving the user logon rights and also being able
to
look around in most of the places, but for DNS, WIND and DHCP, I need to
give
the user separate access and permissions. But in this way, the user has
more
rights than I would like him to have.
And also my biggest problem is to make this user able to log on to my
domain
controllers.
Is this anything that MS has thought about?
Is there an easy way to give people (IT managers and so on) access to look
but not to touch?
Any one who knows how to fix this problem?
Regards
Madjid
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in