Navigation
Syndicate
Windows Server Admin Question: Delegate Roles
I'm trying to figure out how to enable some non-IT staff to do some routine
tasks related to an application they run. When they call for external
support, invariably they are told to restart the Windows services affecting
their application and reboot the server. Right now, they call IT, open a
ticket, and wait for a system admin to respond. The response time is the
issue, sometimes amounting to half a day and that makes coordination with
the external support difficult. The two staff already have power user
accounts on the server, but IT is reluctant to give them full admin rights
(for obvious reasons).
We've found a command line utility that will add rights to their power user
accounts to enable the restarting of services. Nothing short of admn
rights to reboot the server.
It seems to me that this shouldn't be so difficult, and that perhaps
someone has already figured out how to do this? I know that there used to
be tools that would enable granular delegation of rights on Windows
(NT/2000) but that with 2003 and 2008, those seem to have gone away. One
post I saw indicated we might be able to copy the rights from another type
of account (like Backup) to provide a broader set or rights to a power
user, and still stay short of full admn rights. I don't have any
experience with local policies, but that would have seemed another way to
do this.
Anyway, I'm fishing for answers. Anyone have any thoughts or done this?
Thanks. David.
- Login to post comments
Comments
Windows Server Admin Question: Delegate Roles
If your servers are virtual and you use VMware ESX, you can delegate power and shutdown operations to anyone through the VCenter console. I expect Hyper-V has a similar ability. If you don't have either, many university central computing groups will let you use (or sell you use of) their VMware cluster.
-Michael
On Nov 19, 2011, at 2:18 PM, David Whelan wrote:
I'm trying to figure out how to enable some non-IT staff to do some routine tasks related to an application they run. When they call for external support, invariably they are told to restart the Windows services affecting their application and reboot the server. Right now, they call IT, open a ticket, and wait for a system admin to respond. The response time is the issue, sometimes amounting to half a day and that makes coordination with the external support difficult. The two staff already have power user accounts on the server, but IT is reluctant to give them full admin rights (for obvious reasons).
We've found a command line utility that will add rights to their power user accounts to enable the restarting of services. Nothing short of admn rights to reboot the server.
It seems to me that this shouldn't be so difficult, and that perhaps someone has already figured out how to do this? I know that there used to be tools that would enable granular delegation of rights on Windows (NT/2000) but that with 2003 and 2008, those seem to have gone away. One post I saw indicated we might be able to copy the rights from another type of account (like Backup) to provide a broader set or rights to a power user, and still stay short of full admn rights. I don't have any experience with local policies, but that would have seemed another way to do this.
Anyway, I'm fishing for answers. Anyone have any thoughts or done this?
Thanks. David.
_______________________________________________
You are currently subscribed to teknoids as: michael.sparks@law.lsu.edu.
To unsubscribe send a blank email to teknoids-leave@ruckus.law.cornell.edu
--
See the web interface at http://ruckus.law.cornell.edu/mailman/listinfo/teknoids to get your list password, unsubscribe, and view your list settings.