Re: restricted management for some users.

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-05-20 Bruyere, Michel wrote:
> 1- I need to setup a user (the technician) to access the properties of
> accounts in AD (to reset passwords and/or unlock them). He has to log on
> locally/interactively on one of the DC (the one with all the FMSO
> roles).
> BTW I had something strange when I've set the local policies on the DC
> to allow the user to logon locally. I had set al admins groups/accounts
> and this particular account. Few times after I did this, users began to
> call me telling that they had a message that they couldn't logon
> interactively. Is there a way to setup "local" policies on the DC to
> allow a user account to logon locally? 

IIRC this can be done through the Domain-Controller Policies (as opposed
to the Domain Policies). Find both of them on the Start Menu under
"Administrative Tools".

> 2- I have to give full control over 5 servers to 2 guys, the ERP dev
> team. They should have the right to install/uninstall anything on the
> servers. I though to give them an account which is local administrator
> on those servers.

Create a domain group ERP-dev, add the users to this group and add the
domain group to the local administrators group on those 5 servers.

HTH

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------