I administer a Windows 2003 domain and I have application teams (such as Lotus Notes administration and the Legato backup team) who need to log onto various servers with adequate rights. My concern is that I do not want them to have full local admin rights to the servers (as they currently do) especially since I have no idea what level of expertise these people are. Indeed this all came to a head recently when one of our Lotus Notes team changed the IP address on a server (something I tightly control) and caused a whole raft of issues.
Essentially what I need to do is allow teams to administer their applications but not be able to do anything much else, I want to try an institute some kind of change control on them and the easiest way to do that is stop them doing anything they shouldn't without our approval and we will document the changes.
I accept, of course, that these teams need access to the servers, I just want an easy way to limit them ... I'd prefer this to be at the domain level (I tried adding a test user to the Remote Desktop Users group in Active Directory Users and Computers but it didn't allow the user to log on to a member server using TS) but if I have to do it on each system as it is added then so be it.
Any help appreciated [img]/forums/images/smilies/smile.gif[/img]
Re: Server Privileges
TS and remote desktop are two different things...
What exactly would they have to do whilst 'administering their own applications'? I'm assuming they wouldn't have to install/remove....why not create a group or even set them as power users?