Windows Server

Pat Hall · Guest

I would like to use the Server Operator group to give our Operations staff
access to our servers. I don't see this group on any of our servers (Windows
2003 or Windows 2000). I do see the Power Users group which would give them
more access than they need.
Is the Server Operators group still a valid group on a server? If so, why
can't I see it?

Olaf Engelke [MVP Windows · Guest

Hi PAt,
Pat Hall wrote:
[quote]I would like to use the Server Operator group to give our Operations
staff access to our servers. I don't see this group on any of our
servers (Windows 2003 or Windows 2000). I do see the Power Users
group which would give them more access than they need.
Is the Server Operators group still a valid group on a server? If
so, why can't I see it?
[/quote]
you did take a look in Active Directory Users and Computers in the Builtin
container?
(This group exists only on a Domain level.)
Best greetings from Germany

Pat Hall · Guest

Since we are an AD domain, do I need to use those instead of the groups on
the servers? Some groups like administrators & Backup Operators are in
Builtin in AD and on the server.
What if I don't want an indibvidual to have Server Operator to a server? By
using the Domain level group, I would think that the access would be for all
servers and probably desktops.

"Olaf Engelke [MVP Windows Server]" wrote:

[quote]Hi PAt,
Pat Hall wrote:
I would like to use the Server Operator group to give our Operations
staff access to our servers. I don't see this group on any of our
servers (Windows 2003 or Windows 2000). I do see the Power Users
group which would give them more access than they need.
Is the Server Operators group still a valid group on a server? If
so, why can't I see it?

you did take a look in Active Directory Users and Computers in the Builtin
container?
(This group exists only on a Domain level.)
Best greetings from Germany

[/quote]

Roger Abell [MVP] · Guest

Server Operators is defined in the domain account database, and it is not
used on domain members (unless someone uses it) but only on the DCs.

"Pat Hall" <PatHall@discussions.microsoft.com> wrote in message
news:A10F8BB4-DF49-462B-B28D-B54BAF7C44A0@microsoft.com...
[quote]Since we are an AD domain, do I need to use those instead of the groups on
the servers? Some groups like administrators & Backup Operators are in
Builtin in AD and on the server.
What if I don't want an indibvidual to have Server Operator to a server?
By
using the Domain level group, I would think that the access would be for
all
servers and probably desktops.

"Olaf Engelke [MVP Windows Server]" wrote:

Hi PAt,
Pat Hall wrote:
I would like to use the Server Operator group to give our Operations
staff access to our servers. I don't see this group on any of our
servers (Windows 2003 or Windows 2000). I do see the Power Users
group which would give them more access than they need.
Is the Server Operators group still a valid group on a server? If
so, why can't I see it?

you did take a look in Active Directory Users and Computers in the
Builtin
container?
(This group exists only on a Domain level.)
Best greetings from Germany

[/quote]

Pat Hall · Guest

What I need to do is give the Operations staff the ability to: Reboot a
server, stop/start a Service and use the Cluster Administrator and SQL
Service Manager and the file server backup application.
The Server Operators group seems like the best way to give them this access.
I need them to have this access on all the members servers in addition to
the DCs.
Is there a better way to do what I am trying to do?
BTW: I don't see the Local Users & Groups under Manage on the DCs.

"Roger Abell [MVP]" wrote:

[quote]Server Operators is defined in the domain account database, and it is not
used on domain members (unless someone uses it) but only on the DCs.

"Pat Hall" <PatHall@discussions.microsoft.com> wrote in message
news:A10F8BB4-DF49-462B-B28D-B54BAF7C44A0@microsoft.com...
Since we are an AD domain, do I need to use those instead of the groups on
the servers? Some groups like administrators & Backup Operators are in
Builtin in AD and on the server.
What if I don't want an indibvidual to have Server Operator to a server?
By
using the Domain level group, I would think that the access would be for
all
servers and probably desktops.

"Olaf Engelke [MVP Windows Server]" wrote:

Hi PAt,
Pat Hall wrote:
I would like to use the Server Operator group to give our Operations
staff access to our servers. I don't see this group on any of our
servers (Windows 2003 or Windows 2000). I do see the Power Users
group which would give them more access than they need.
Is the Server Operators group still a valid group on a server? If
so, why can't I see it?

you did take a look in Active Directory Users and Computers in the
Builtin
container?
(This group exists only on a Domain level.)
Best greetings from Germany

[/quote]

Joe Richards [MVP] · Guest

ServOps only exists on and can only be used on domain controllers. For member
servers and workstations you have administrators and power users.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Pat Hall wrote:
[quote]I would like to use the Server Operator group to give our Operations staff
access to our servers. I don't see this group on any of our servers (Windows
2003 or Windows 2000). I do see the Power Users group which would give them
more access than they need.
Is the Server Operators group still a valid group on a server? If so, why
can't I see it?[/quote]

Roger Abell [MVP] · Guest

Local policy and Local Users and Groups are not surfaced on DCs in
the familiar UI locations. They are there for DS restore mode, but are
otherwise not used after a machine is changed to a DC.

You probably need to carefully think through what is enabled by
what you are wanting to delegate, especially on the DCs.
As for the backup app, the required accounts to set up as compared
to the accounts to run/monitor/use, as compared to the account(s)
used by the backup software - differ by backup product and deployment
choices made. With some you can have lower power accounts able to
monitor/run the (previously defined) backup jobs.

Ability to reboot a machine, and to start/pause/stop specific services
can be handled by giving grants to the custom group you define for
these individuals' accounts. Reboot is a group policy setting of the
User Rights category (Shutdown the system). Services have ACLs
that can be manipulated with security config and editor templates,
or with some optional tools (setacl and ntrights if I am recalling
correctly).
If you manipulate the ACL on the services remember to always grant
full to System and to whatever account the service runs under.
Membership in Power Users would be an alternative option, but it is
not on DCs in the Domain account database, and it is an over allocation
of priv for reboot, some service control, etc..

I am not sure what you refer to as SQL Service Manager. I know the
little desktop start/stop/pause tool by that name. If you mean that, then
it is likely an issue of permissions on the services and perhaps on the
exe for the tool. If you mean SQL Enterprise Manager, any user can
use it, but what they can do with it is (or should be) controlled by how
SQL Server recognizes who is using that tool (what SQL grants exist).

Be aware that giving some of these things away to less senior tech staff
for the DCs can have broad reaching implications - either on the 999s
or even on the underlying well-being / security of your forest - depending
on the character and ingenuity of the involved people.

"Pat Hall" <PatHall@discussions.microsoft.com> wrote in message
news:AB53857F-DA4A-4DDF-8B56-ED9FA767F0B8@microsoft.com...

Pat Hall · Guest

Both administrators & Power users give more access than we really want to
give. 1) How do I see what access the server operators group has?
2) How do I set up a new group on the domain or on each server that I can
give all or most of the access Server Operators have?

"Joe Richards [MVP]" wrote:

Joe Richards [MVP] · Guest

You would have to filter through MS Docs to see if you can find descriptions.
Anyway, you want to grant specific things, it doesn't matter everything servops
can do. Some of the things you want to grant may be able to be delegated, other
things may not.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Pat Hall wrote:

	Windows Server Forum Index -> Security	All times are GMT
Page 1 of 1