Allow domain user to remotely manage SMB shares on a file server without making them administrator

James Early 1 Reputation point
2021-07-27T19:48:24.827+00:00

Hello,
I have a situation where I would like a user to be able to remotely manage the shared folders of another computer through the Shared Folders MMC snap in, to do things like close open SMB sessions. However, I do not want to make this user an administrator. How can I assign them the rights to do this, if it is possible? Any help is appreciated.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,124 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,852 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,272 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,231 Reputation points
    2021-07-28T03:30:02.043+00:00

    Hello @James Early ,

    Thank you so much for posting here.

    Based on my research, the user should be administrator to manage the shared folder MMC snap in. If the user is not an admin, they need to be in the Data Administrators role to successfully connect.

    Reference: https://care.qumulo.com/hc/en-us/articles/360043419473-Manage-File-Shares-with-Shared-Folders-MMC-Snap-in

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. MotoX80 31,571 Reputation points
    2021-07-30T12:36:54.063+00:00

    I had a few instances where non-admin accounts needed to perform some function that required administrator rights. One example was application developers who needed to stop and restart their services so that they could update the executable without getting me involved. My solution was to install IIS and then build a web page that performed that specific function. The site was set to authenticate the user but not impersonate them. The IIS worker process for the site was set to run as the SYSTEM account. The code in the ASPX page checked to see if the user was a member of the local group that was designated as the support team and then presented a "not authorized" message or the buttons to allow stop/start. Since the worker process ran as system, the page could do anything on the server.

    I know it's not the answer that you were hoping for, but once you get the first page working, you'll find that you can use it as a base for other tasks.

    0 comments