Tags Tags

User rights of logon server locally, start/stop services, kill pro

January 14th, 2009 - 04:15 am ET by Pakeon | Report spam
Help Create a new topic
Hi all,

I wonder whethere there are some ways to delegate specific rights to some
ones who are able to logon server locally, start and stop certain services,
kill certain processes, reboot/shutdown servers?

Thanks in advance.

Pakeon
email Follow the discussionReplies 5 repliesReplies Make a reply

Similar topics

Replies

#1 Marcin
January 14th, 2009 - 08:50 pm ET | Report spam
Pakeon,
the most common solution to this set of requirements involves use of Group
Policies. For stand-alone systems, simply run gpedit.msc - for domain-based
systems, use Group Policy Management Console. Logon/shutdown related tasks
are controlled by settings under Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment and
Computer Configuration\Windows Settings\Security Settings\System Services.
Ability to kill an arbitrary process would depend on its security context -
but as long as the process was not launched by the current user, it would
typically require local Administrator privileges...

hth
Marcin

"Pakeon" wrote in message
news:
Hi all,

I wonder whethere there are some ways to delegate specific rights to some
ones who are able to logon server locally, start and stop certain
services,
kill certain processes, reboot/shutdown servers?

Thanks in advance.

Pakeon


Replies Reply to this message
#2 Pakeon
January 15th, 2009 - 12:06 am ET | Report spam
Marcin,

Thanks for your information! What about the network configuraiton change? Is
there a way to grant particular usres who are only able to update server
network configuraiton such as IP address, DNS suffix...?

Any idea?

Thanks in advance

Pakeon


"Marcin" wrote:

Pakeon,
the most common solution to this set of requirements involves use of Group
Policies. For stand-alone systems, simply run gpedit.msc - for domain-based
systems, use Group Policy Management Console. Logon/shutdown related tasks
are controlled by settings under Computer Configuration\Windows
Settings\Security Settings\Local Policies\User Rights Assignment and
Computer Configuration\Windows Settings\Security Settings\System Services.
Ability to kill an arbitrary process would depend on its security context -
but as long as the process was not launched by the current user, it would
typically require local Administrator privileges...

hth
Marcin

"Pakeon" wrote in message
news:
> Hi all,
>
> I wonder whethere there are some ways to delegate specific rights to some
> ones who are able to logon server locally, start and stop certain
> services,
> kill certain processes, reboot/shutdown servers?
>
> Thanks in advance.
>
> Pakeon





Replies Reply to this message
#3 Paul Adare
January 15th, 2009 - 02:27 am ET | Report spam
On Wed, 14 Jan 2009 21:06:00 -0800, Pakeon wrote:

Thanks for your information! What about the network configuraiton change? Is
there a way to grant particular usres who are only able to update server
network configuraiton such as IP address, DNS suffix...?



That depends on the operating system. In Windows 2000, which is what this
news group is for, I believe that you need to use membership in Power Users
or Server Operators (sorry but it has been years since I worked with
Windows 2000). For Server 2008 there's a local group called Network
Configuration Operators that will do what you want.

Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Replies Reply to this message
#4 Pakeon
January 15th, 2009 - 08:24 am ET | Report spam
I'm running Windows server 2003. I don't want to add them to Server Operators
or Power Users. I want to grant explicit rights to the group that is
responsible for particular tasks, such as Network configuration.

Thanks

Pakeon

"Paul Adare" wrote:

On Wed, 14 Jan 2009 21:06:00 -0800, Pakeon wrote:

> Thanks for your information! What about the network configuraiton change? Is
> there a way to grant particular usres who are only able to update server
> network configuraiton such as IP address, DNS suffix...?

That depends on the operating system. In Windows 2000, which is what this
news group is for, I believe that you need to use membership in Power Users
or Server Operators (sorry but it has been years since I worked with
Windows 2000). For Server 2008 there's a local group called Network
Configuration Operators that will do what you want.

Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca



Replies Reply to this message
#5 Marcin
January 15th, 2009 - 02:09 pm ET | Report spam
Network Operators group is available in Windows Server 2003 as well...

hth
Marcin

"Pakeon" wrote in message
news:
I'm running Windows server 2003. I don't want to add them to Server
Operators
or Power Users. I want to grant explicit rights to the group that is
responsible for particular tasks, such as Network configuration.

Thanks

Pakeon

"Paul Adare" wrote:

On Wed, 14 Jan 2009 21:06:00 -0800, Pakeon wrote:

> Thanks for your information! What about the network configuraiton
> change? Is
> there a way to grant particular usres who are only able to update
> server
> network configuraiton such as IP address, DNS suffix...?

That depends on the operating system. In Windows 2000, which is what this
news group is for, I believe that you need to use membership in Power
Users
or Server Operators (sorry but it has been years since I worked with
Windows 2000). For Server 2008 there's a local group called Network
Configuration Operators that will do what you want.

Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca





email Follow the discussion Replies Reply to this message
Help Create a new topicReplies Make a reply
Search Make your own search