Question : Limited Access Active Directory Account - Able to Manage Remotely, Not Much Else

We have a situation where we require to give a person limited Administrative rights, but not full domain admin access.

We need this person to be able to remote manage servers in MMC, using the right click -> run as option on Computer Management.

They also need to be able to use the full functionality of Computer Management by connecting to the remote server (right click connect to), such as seeing Event Logs, Shared Folders, Peformance Logs and Alerts, Disk Management, Services and Applications etc.

BUT, here is the kicker. The person must be given access to certain servers. So they would not be able to have these rights on all servers. Ideally it would be good to have it so the person could remote manage as much as he wanted, but couldn't actually log onto the servers desktop.

Is there a way to do this through delegation / group policy / MMC?

If there is, I would appreciate a kick in the right direction :)

The main reason is that person needs to be able to read logs and restart services without logging onto the servers console.

Attached is a picture of how I want them to access the server if possible. I know there is a way to do this but If I remember it may have been alot of trouble.

Cheers

Answer : Limited Access Active Directory Account - Able to Manage Remotely, Not Much Else

I am not exactly sure how to do this, so it might be a bit of hit or miss on your part until you get the right configuration.

Make the user a member of the administrators group on the local server, then set the following through group policy on the machine:

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment:

Place the user account in the following policies:
Deny Logon Locally
Deny Logon Through Terminal Services

I am not sure if this will work, but you might give it a go and see how it works.

P.S., don't forget to run a "gpupdate /force" on the server after changing the group policy.