I have a small Server 2008 domain and a vendor needs to setup a program via remote desktop. The remote access is not a problem, but how would I set up his user account so that he has permissions to install and maintain his program on the server, has access only to the directories I give him, but does not have access to anything else including the client computers on the network? Currently our administrator account as full access to everything. Would someone please give me a quick rundown on how to do this or steer to me a knowledgbase article. Thanks

Create new account for him, do not add it to local administrators and especially do not add it to Domain Admins, setup NTFS permissions on required directories ether via GPO or by hand clicking folder properties and setting up permissions on Security tabWith kind regards Krystian Zieja http://www.projectenvision.com Follow me on twitter My Blog Need help with your systems?

Create new account for him, do not add it to local administrators and especially do not add it to Domain Admins, setup NTFS permissions on required directories ether via GPO or by hand clicking folder properties and setting up permissions on Security tab With kind regards Krystian Zieja http://www.projectenvision.com Follow me on twitter My Blog Need help with your systems? With this configuration, what would give the vendor the rights to install and maintain a program on the server? I understand how to set security on individual directories. we are installing a custom program with SQL Server as the database. I'll be installing the SQL server but the vendor will be installing his program. The database will be on drive E and I'd prefer that his program be on drive E as well. I would assume he would need some type of administrator rights to install and register his program.

Hello, most software require permission to be installed with parts on the system drive or at least some system folders/registry parts. So i assume you will not be able to achieve the installation without giving him admin permissions. Why not doing the installation your self guided by the company, then you are not limited? Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

The reason I wanted to give the vendor these rights is because of small office and owner cronyism. Thanks for the clarification.

Hiya, If the server only runs this application, there is absolutely no problem in granting him/them Local Administrator access on this server. Using there personal domain user account. It will give you traceability. You could even remove him from Domain Users group, alltho that would proberly make his life very hard.. Local Administator grants him access to everything on the server, but nothing in the domain. Domain users gives him read rights for some parts of the domain. The application might need to run with a service account that has specific permissions..

I didn't think it was possible to set up a local admin on a domain controller? If it is possible, how so, and maintain the server as the domain controller? This is a small office and I only have two servers, the other largely runs Symantec Endpoint and serves as a backup to the primary domain controller.

i believe you should use process monitor with elevated permissions from the users account and try installing the software and based on the log files of the process explorer you should be able to see exactly at which place in the file system and registry the user is denied access. http://www.virmansec.com/blogs/skhairuddin

i believe you should process monitor with elevated permissons from the users account and try installing the software and based on the log files the process explorerly you should be able to see exactly at which place in the file system and registry the uses is denied access. http://www.virmansec.com/blogs/skhairuddin I'm sorry, I don't follow what you are writing. Please clarify how this would give me limited admin rights on a domain controller?

Unless this application installs by simply extracting files to folder and does nothing else than you are not going to find a solution that doesn't require administrator rights. Most Windows application installs are going to write files, write registry keys, assign permissions, and register DLL files. All of these actions require administrator rights. My suggestion is to not waste time trying to circumvent admin rights and find a way to get the application installed either onsite or remotely. This very same question about installing without admin rights has been asked since the NT4 days over 12 years ago, and the answer remains the same; you need admin rights, period.