I am a Rookie and I am sure that I am missing something very basic but don't know where to look for and how to start. I need some help and guidance around how to set up user access with restricted permissions. End Goal for me is to have an AD account that has access to logon to all servers within a particular domain with rights to check event viewer logs and start and stop services running on the server. I don't want to add this account to Domain Admin or Administrators group. After reading a bit I have tried creating a separate group and delegated some rights for the group on an OU (where all our Servers are) and added the user account to this group. The user still cannot log in to any servers within that OU. I also want to automate this task using Powershell :) Regards,
Can we access all Servers within our Domain with specific rights whilst not being part of domain admin?
119 Views Asked by Anup At
1
There are 1 best solutions below
Related Questions in POWERSHELL
- PowerShell Linphone Configuration
- How avoid \t being converted to Tab in Powershell
- How do I get my terminal to work in VS Code? Exit Code:2, doesn't allow me to type anything
- Npm command not working in powershell but works in cmd
- Issue with path not being treated as encapsulated when calling cmd /C
- Native command throws error only when I redirect to a variable
- Logic Apps and long running Azure Function (Powershell)
- April fools - PsExec (PsTools)
- How to use nested ForEach-Object
- Batch Script-Powershell MessageBox | How do I set TopMost within PS command line of Batch?
- Execution Stuck at Get-PnPPage if function executed on Button Click
- How can I expand a column from group output?
- How to use expression in regex -replace with capturing group in powershell
- powershell where-object -cnotmatch filter unwanted lines
- How to make Visual Studio 2022 project launch Windows Terminal instead of PowerShell?
Related Questions in ACTIVE-DIRECTORY
- Is there any way to set a printer as default according with Active Directory Policy Security Group and PC hostname?
- Dropdown list showing SQLServer2005SQLBrowserUser$DONSERVER instead of Active Directory group name in ASP.NET MVC C#
- Connecting to SQL Server and performing BULK INSERT from Linux Container
- Running wmi queries as a non-admin user on a remote machine using C#
- How can we make an environment specific Token-based authorization using Ping Token?
- Reuse SSL certificate from the personal certificate store across services such as RDP and Federated Sign In
- Adding user in AD using powershell
- Netbox in docker LDAP authentication
- PowerShell Script Install-ADDSDomainController Error
- Get username of logged in user while using Domain Admin privileges
- Populate Simple AD from LDAP
- Python LDAP3 Changing Account Values
- Powershell - Exporting MemberOf to csv file from active directory
- Filtering users from a CSV then removing those filtered users from specific security groups with Powershell
- Nested Expression in Powershell returning part of Expression
Related Questions in USER-ACCOUNTS
- Overdraft method for bank account
- dbo.aspnet_Users table is empty where it shouldn't be
- How to get first name & last name in android?
- Add user account to user-group regardless the O.S language
- How to create a Chrome profile programmatically?
- 403 Error for user verification (API)
- How to Reproduce Meteor.user() Client-Server effect for a different Collection?
- Can't see the billing info of my IAM user
- WooCommerce login area redirect to default Wordpress login form
- Too many SQL Server users
- How to lead in multi-devices identifer to a new apple developer account?
- Unable to create account for installing Oracle Database
- Creating user accounts javascript and API's
- ASP.net, how can I access a remote machine and create a user account and create and share a folder
- Is a home directory folder created automatically for a local user when it is created
Related Questions in WINDOWSDOMAINACCOUNT
- Is it possible to change domain account password remotely on a domain-joined server which is not DC?
- .sqlproj publish scripts require domains and users that don't exist on development workstation. Are there workarounds?
- Managing Windows Services with Remote powershell - Windows Server 2019 Datacenter Edition
- How to use python to check if a computer is in a domain or is in workgroup
- Windows service - use domain account and run with admin privileges
- Powershell Windows in a Domain: how to retrieve actual home directory of renamed user
- Cannot RDP to an instance of virtual machine scale set of a Service Fabric cluster in Azure
- Kerberos Authentication for validating card ID on windows 2012/2016 server
- Sending e-mail through C#, Exchange and EWS Managed API gives error 407: Request failed - Proxy authentication required. Why?
- Can we access all Servers within our Domain with specific rights whilst not being part of domain admin?
- Is it possible/advisable to run multiple sites app pools using the same domain account
- Change browser search engine for every user/machine in windows domain
- Connecting to SQL Server on same domain, but getting "Untrusted Domain" error?
- How to formate JNDI to authenticate with a domain user instead of SQL user
- Contradictory values from Active Directory regarding password expiry date
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Allowing non-admin users the rights to log in to a machine remotely is easy, simply add the AD group to the local
Remote Desktop Usersgroup. This is likely the crux of your current issues.Similarly, you don't have to be a
Domain Adminin order to be in theLocal Administratorsgroup. You can use group policy to configure and add another AD group to theLocal Administratorsgroup, thereby limiting the number ofDomain Adminsand restricting the capabilities of the users in the group. Note: Adding people to theLocal Administratorsgroup automatically grants them remote logon which would negate the need to also add them to theRemote Desktop Usersgroup.In order to read Event Logs simply add the group to the
Event Log Readersgroup.Allowing Non-Administrators to start stop services is much harder because you have to manually set ACL permissions to start stop services on each service individually See: Set permissions to start stop services
The easiest method is to use the SubInACL tool:
Setting Service Permissions Using SubInACL Tool
In the elevated command prompt, go to the directory containing the tool:
cd "C:\Program Files (x86)\Windows Resource Kits\Tools\"Run the command:
subinacl.exe /service MyServiceName /grant=contoso\JSmith=PTO