I am working for a ISP where every IT engineer has access to every system by using a single administrative account. This is very handy but not to secure... The main problem I have is NPS. With AD and Exchange you can delegate access but with NPS this seems not to be possible. We have 4 sites and every site got at least one domain controller with NPS installed. We cannot create separated NPS servers. How can I give access to NPS without giving access to everything else? It would be great if it can be done by using the MMC. We have a terminal server with NPS installed so that I can use the NPS snapin. Best regards, Laurens

Hi Laurens, Thanks for posting here >How can I give access to NPS without giving access to everything else? It would be great if it can be done by using the MMC. We have a terminal server with NPS installed so that I can use the NPS snapin. Yes, using MMC snap in is a way to achieve the goal. You should enable the Remote administration exception in Windows Firewall with Advanced Security first ,after that we can remotely access and manage this service via NPS MMC snap-in, and this will help us to prevent other services be accessed: Administer NPS by Using Tools http://technet.microsoft.com/en-us/library/cc732994(WS.10).aspx Meanwhile, using individual servers for NPS and manage it via Remote Desktop Connection and encrypted communication is the best practice: Best Practices for NPS http://technet.microsoft.com/en-us/library/cc771746(WS.10).aspx Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for your reply Tiger Li, I already have a MMC configured and the firewall is turned off. The problem is that I need to give the network team access rights to NPS but not to the rest of the domain controller. When they use the MMC the following message is shown: "Administrator privileges are required to use the Network Policy Server. Please log on to the computer with an administrator account.". How can I allow them to use this MMC with the NPS add-in without giving them access to other areas on the domain controller?

Hi Laurens, Thanks for update. Please understand that only member of administrators group has right to locally or remotely manage NPS , you should add these accounts to this group so that they will be granted permission to manage NPS via MMC snap-in. However, other service will also be opened to these accounts and this is why we always suggest to deploy NPS on individual servers in this scenario. Manage Multiple NPS Servers by Using the NPS MMC Snap-in http://technet.microsoft.com/en-us/library/cc770325(WS.10).aspx Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Laurens, Please feel free to let us know if the information was helpful to you. Thanks, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.