Delegate access to NPS
I am working for a ISP where every IT engineer has access to every system by using a single administrative account. This is very handy but not to secure...
The main problem I have is NPS. With AD and Exchange you can delegate access but with NPS this seems not to be possible. We have 4 sites and every site got at least one domain controller with NPS installed. We cannot create separated NPS servers.
How can I give access to NPS without giving access to everything else? It would be great if it can be done by using the MMC. We have a terminal server with NPS installed so that I can use the NPS snapin.
Best regards,
Laurens
March 7th, 2011 6:58am
Hi Laurens,
Thanks for posting here
>How can I give access to NPS without giving access to everything else? It would be great if it can be done by using the MMC. We have a terminal server with NPS
installed so that I can use the NPS snapin.
Yes, using MMC snap in is a way to achieve the goal. You should enable the Remote administration exception in Windows Firewall with Advanced Security first ,after
that we can remotely access and manage this service via NPS MMC snap-in, and this will help us to prevent other services be accessed:
Administer NPS by Using Tools
http://technet.microsoft.com/en-us/library/cc732994(WS.10).aspx
Meanwhile, using individual servers for NPS and manage it via Remote Desktop Connection and encrypted
communication is
the best practice:
Best Practices for NPS
http://technet.microsoft.com/en-us/library/cc771746(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 9:16pm
Thanks for your reply Tiger Li,
I already have a MMC configured and the firewall is turned off. The problem is that I need to give the network team access rights to NPS but not to the rest of the domain controller.
When they use the MMC the following message is shown: "Administrator privileges are required to use the Network Policy Server. Please log on to the computer with an administrator account.".
How can I allow them to use this MMC with the NPS add-in without giving them access to other areas on the domain controller?
March 8th, 2011 4:00am
Hi Laurens,
Thanks for update.
Please understand that only member of administrators group has right to locally or remotely manage NPS , you should add these accounts to this group
so that they will be granted permission to manage NPS via MMC snap-in.
However, other service will also be opened to these accounts and this is why we always suggest to deploy NPS on individual servers in this scenario.
Manage Multiple NPS Servers by Using the NPS MMC Snap-in
http://technet.microsoft.com/en-us/library/cc770325(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2011 5:51am
Hi Laurens,
Please feel free to let us know if the information was helpful to you.
Thanks,
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 9th, 2011 5:45am