|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
User rights of logon server locally, start/stop services, kill proHi all,
I wonder whethere there are some ways to delegate specific rights to some ones who are able to logon server locally, start and stop certain services, kill certain processes, reboot/shutdown servers? Thanks in advance. Pakeon Pakeon,
the most common solution to this set of requirements involves use of Group Policies. For stand-alone systems, simply run gpedit.msc - for domain-based systems, use Group Policy Management Console. Logon/shutdown related tasks are controlled by settings under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\System Services. Ability to kill an arbitrary process would depend on its security context - but as long as the process was not launched by the current user, it would typically require local Administrator privileges... hth Marcin Show quoteHide quote "Pakeon" <Pak***@discussions.microsoft.com> wrote in message news:CE483E99-4E99-44A1-9153-27FED8365149@microsoft.com... > Hi all, > > I wonder whethere there are some ways to delegate specific rights to some > ones who are able to logon server locally, start and stop certain > services, > kill certain processes, reboot/shutdown servers? > > Thanks in advance. > > Pakeon Marcin,
Thanks for your information! What about the network configuraiton change? Is there a way to grant particular usres who are only able to update server network configuraiton such as IP address, DNS suffix...? Any idea? Thanks in advance Pakeon Show quoteHide quote "Marcin" wrote: > Pakeon, > the most common solution to this set of requirements involves use of Group > Policies. For stand-alone systems, simply run gpedit.msc - for domain-based > systems, use Group Policy Management Console. Logon/shutdown related tasks > are controlled by settings under Computer Configuration\Windows > Settings\Security Settings\Local Policies\User Rights Assignment and > Computer Configuration\Windows Settings\Security Settings\System Services. > Ability to kill an arbitrary process would depend on its security context - > but as long as the process was not launched by the current user, it would > typically require local Administrator privileges... > > hth > Marcin > > "Pakeon" <Pak***@discussions.microsoft.com> wrote in message > news:CE483E99-4E99-44A1-9153-27FED8365149@microsoft.com... > > Hi all, > > > > I wonder whethere there are some ways to delegate specific rights to some > > ones who are able to logon server locally, start and stop certain > > services, > > kill certain processes, reboot/shutdown servers? > > > > Thanks in advance. > > > > Pakeon > > > On Wed, 14 Jan 2009 21:06:00 -0800, Pakeon wrote:
> Thanks for your information! What about the network configuraiton change? Is That depends on the operating system. In Windows 2000, which is what this> there a way to grant particular usres who are only able to update server > network configuraiton such as IP address, DNS suffix...? news group is for, I believe that you need to use membership in Power Users or Server Operators (sorry but it has been years since I worked with Windows 2000). For Server 2008 there's a local group called Network Configuration Operators that will do what you want. I'm running Windows server 2003. I don't want to add them to Server Operators
or Power Users. I want to grant explicit rights to the group that is responsible for particular tasks, such as Network configuration. Thanks Pakeon Show quoteHide quote "Paul Adare" wrote: > On Wed, 14 Jan 2009 21:06:00 -0800, Pakeon wrote: > > > Thanks for your information! What about the network configuraiton change? Is > > there a way to grant particular usres who are only able to update server > > network configuraiton such as IP address, DNS suffix...? > > That depends on the operating system. In Windows 2000, which is what this > news group is for, I believe that you need to use membership in Power Users > or Server Operators (sorry but it has been years since I worked with > Windows 2000). For Server 2008 there's a local group called Network > Configuration Operators that will do what you want. > > -- > Paul Adare > MVP - Identity Lifecycle Manager > http://www.identit.ca > Network Operators group is available in Windows Server 2003 as well...
hth Marcin Show quoteHide quote "Pakeon" <Pak***@discussions.microsoft.com> wrote in message news:7C1F59BB-B7D4-4A57-9EE9-7BA8B731281D@microsoft.com... > I'm running Windows server 2003. I don't want to add them to Server > Operators > or Power Users. I want to grant explicit rights to the group that is > responsible for particular tasks, such as Network configuration. > > Thanks > > Pakeon > > "Paul Adare" wrote: > >> On Wed, 14 Jan 2009 21:06:00 -0800, Pakeon wrote: >> >> > Thanks for your information! What about the network configuraiton >> > change? Is >> > there a way to grant particular usres who are only able to update >> > server >> > network configuraiton such as IP address, DNS suffix...? >> >> That depends on the operating system. In Windows 2000, which is what this >> news group is for, I believe that you need to use membership in Power >> Users >> or Server Operators (sorry but it has been years since I worked with >> Windows 2000). For Server 2008 there's a local group called Network >> Configuration Operators that will do what you want. >> >> -- >> Paul Adare >> MVP - Identity Lifecycle Manager >> http://www.identit.ca >>  
Other interesting topics
Event ID 5719: No Windows NT or Windows 2000 Domain Controller is available for domain <domain>.
Novell/Active Directory Built-in Administrator acct. for Domain be password never expires? All domain Accounts being locked out encryption that cannot be restored Best Practice: Patches that are not critical or security related No Updates are successful Windows Vista Re: automatic updates disabled "error 1058" Error Code: 0x8007012B |
|||||||||||||||||||||||
