Share via

Control domain user with RDP privilege to allow access for IIS, Schedule job and drive permision

Billvel 21 Reputation points
2020-09-16T04:08:39.003+00:00

Hi Guys,

We want to control domain user with RDP privilege to allow access via GPO below :

1: want to give IIS start/stop permission for the following AD group (ISSAdmin)

2: want to give Windows schedule job start/stop to the following AD group (AppsAdmin)

3: want to give full permission for D drive to (AppsAdmin)

any suggestions and comments are welcome. Thank you.

Windows for business Windows Client for IT Pros User experience Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-09-17T02:11:38.607+00:00

    Hi,

    Thank you so much for posting here.

    Below are the answers to our requirements. We could kindly have a check. For any question, please contact us.

    Q1: want to give IIS start/stop permission for the following AD group (ISSAdmin)

    A1: To Grant Users Rights to Manage Services (Start, Stop, Etc.), we could try this group policy: Computer Configuration\Windows Settings\Security Settings\System Services. Double-click or Right-click the service you want users to manage. Then add the group we desire (ISSAdmin). Grant the group both "Read" and "Stop, Start, and Pause" permissions.

    25297-1.png

    Q2: want to give Windows schedule job start/stop to the following AD group (AppsAdmin)

    A2: To Grant Users Rights to Manage Services (Start, Stop, Etc.), we could try this group policy: Computer Configuration\Windows Settings\Security Settings\System Services. Double-click or Right-click the service you want users to manage. Then add the group we desire (AppsAdmin). Grant the group both "Read" and "Stop, Start, and Pause" permissions.

    25411-2.png

    Reference for Q1 and Q2: https://social.technet.microsoft.com/wiki/contents/articles/5752.how-to-grant-users-rights-to-manage-services-start-stop-etc.aspx
    https://www.grouppolicy.biz/2010/08/how-to-use-group-policy-to-control-services/

    Q3: want to give full permission for D drive to (AppsAdmin)

    We could try the below group policy:

    Computer Configuration/Windows Settings/Security Settings/File System
    25306-3.png

    More detailed information, we could refer to: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756952(v=ws.10)?redirectedfrom=MSDN,

    We could check whether these GPO setting could meet our requirements. Thank you so much for your time and support.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Billvel 21 Reputation points
    2020-09-19T12:53:32.033+00:00

    Hi Hannah Xiong,
    Thanks for your response.

    Please see my further comments below:

    Q1: want to give IIS start/stop permission for the following AD group (ISSAdmin)

    I'm unable to find below GPO settings from my AD
    Fyi: My AD is running on Windows 2012 R2

    A1: To Grant Users Rights to Manage Services (Start, Stop, Etc.), we could try this group policy: Computer Configuration\Windows Settings\Security Settings\System Services. Double-click or Right-click the service you want users to manage. Then add the group we desire (ISSAdmin). Grant the group both "Read" and "Stop, Start, and Pause" permissions.

    Q3: want to give full permission for D drive to (AppsAdmin)- I want to enable it's for Clint Machines, not for AD server

    Thank you in advance.

    0 comments
  3. Anonymous
    2020-09-21T06:15:53.323+00:00

    Hi,

    Thank you so much for your kindly reply.

    1, As mentioned, we could not find below GPO settings from our AD. I checked my Windows server 2012 R2 DC, and then opened the Group Policy Management. Navigate to Computer Configuration\Windows Settings\Security Settings\System Services. Here is the GPO setting:

    26038-11.png

    We are wondering whether we opened the Local Group Policy Editor as shown below. If so, there is no System Services GPO setting. To get it, we could try below:

    • Logon to the Windows server 2012 R2
    • Run Start>Run>MMC
    • Add the 'Security Policy Templates' snap in
    • Create a new template
    • Edit that template's 'System services' node and you'll see the services on that machine.

    25960-13.png

    25990-14.png

    26014-15.png

    2, As for the computer configuration, it is applied to computers, including the client machines and the AD member servers. Our Group Policy object must be linked to an OU with computer objects.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.