Results 1 to 8 of 8

Thread: Permissions on Server for Contractor

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    106

    Question Permissions on Server for Contractor

    Hey All,

    I have a standalone Win2k server running Terminal Services(remote admin mode) w/ SQL 2000 setup for development purposes. We currently have two instances (Dev, QA) setup on the same machine. We have contractors that will perform some of the lower-level tasks required by the client. I do not want the contractors to be able to access the QA instance. I have setup the proper directory permissions and confirmed that they can access the Dev instance of the web content as well as the SQL DB, but cannot access the QA instance. I configured TS to allow the Contractors (who are not Admins) to TS into the box, which works fine...mostly. My issue is that the contractors are unable to perform certain tasks on the machine. They cannot restart services or open the IIS admin console and view site properties. Does anyone know what permission level they need to be able to perform these tasks? I really don't want to give them full Admin rights if I don't have to, but they need to be able to perform those two tasks.

    TIA
    just making some minor adjustments to your system....

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Question

    What about role based administration? Microsoft has a Knowledge base article on it Here that might help.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    I'm not sure, but I think giving them Replicator rights might do the trick.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Posts
    211
    i never used win2k as stand alone .. but i knew how to manage the level permission if the comp on the network ( domain ). I think MsMittens Right, i've seen the issue and here's i show u the detail of rolebaseadmin:
    1). CA Administrator --- Manage CA permission
    2). Certificate Manager --- Issue and Manage Certificates permission
    3). Backup Operator --- Back up file and directories and Restore file and directories permissions
    4). Auditor --- Manage auditing and security log permission
    5). Enrollees --- Authenticated Users
    which one ? you may give the other ppl roles and group except CA Administrator. thanks for you MS Mittens.

    When I lay me down to sleep, Pray the LORD my soul to keep.
    If I die before i wake, Pray the LORD my soul to take.

    http://www.AntiOnline.com/sig.php?imageid=389

  5. #5
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    The doc was good info, but I think it was more directed towards working with CA's, unless I misunderstood it???

    I forgot to mention that I did try using the Power Users group, but I was still unable to restart services or view anything when I opened the IIS MMC. I did also try the Replicator group, but no luck there either. I'm stumped, how do other people give access to contractors? Do you simply give them Admin rights to that specific box?
    just making some minor adjustments to your system....

  6. #6
    Senior Member
    Join Date
    Feb 2003
    Posts
    211
    have you try find the solution on microsoft site ?
    http://www.microsoft.com/windows2000/security/
    hope it could help u ...
    When I lay me down to sleep, Pray the LORD my soul to keep.
    If I die before i wake, Pray the LORD my soul to take.

    http://www.AntiOnline.com/sig.php?imageid=389

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Giving admin rights to contractors is not a good idea, IMHO. I did a little further research. Check out this one.

    http://www.sans.org/rr/win2000/admin.php

    You want role based administration as it limits what an "admin" can do and can't do. If you want someone just to do backups, then they'd just do backups but not have the ability to create/delete or modify users (not a needed task in backup administration).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •