Difference between revisions of "BCX Network Management Tools Non Domain Admin Access"

From BCX Media Wiki
Jump to navigation Jump to search
m
 
(46 intermediate revisions by the same user not shown)
Line 1: Line 1:
  
  
 +
Although BCX Network Management tools were developed to be used by a Domain Admin, there may be instances where you would like non-Domain Admins to be able to use them.
  
There are some instances where you would like users without Domain Admins permissions to be able to use BCX Management tools.
+
This is possible to varying degrees.
  
This is possible to varying degrees of useability
+
A non-Domain Admin user may open BCX and use limited functions of the software by adding rights on the BCXDB database in SQL.
 
 
A non-Domain admin user may open BCX and use limited functions by adding rights on the BCXDB in SQL
 
  
 
Use of other functions may be enabled by delegating rights over specific OUs in Active Directory and through the use of GPOs.  
 
Use of other functions may be enabled by delegating rights over specific OUs in Active Directory and through the use of GPOs.  
Line 15: Line 14:
 
=='''User Group'''==
 
=='''User Group'''==
  
For ease of granting rights, we recommend creating an AD Group for Non-Admin Users (BCXManagerUsers), which you will populate with the required user accounts.
+
For ease of granting rights, we recommend creating an AD Group for Non-Domain Admin Users (BCXManagerUsers), to which you will add the required user accounts.
  
  
 
[[File:bcx tools non domain admin create group.png|link=]]
 
[[File:bcx tools non domain admin create group.png|link=]]
 +
  
 
=='''SQL'''==
 
=='''SQL'''==
  
  
Once created and members assigned the group can be added to your BCX SQL instance.
+
Once created and members assigned, the group can be added to your BCX SQL instance.
  
Add new logon for BCXManagerUsers group with bcxdb database and db_datareader/db_datawriter database role memberships
+
Add new logon for BCXManagerUsers group for bcxdb database and db_datareader/db_datawriter database role memberships.
  
  
 
[[File:bcx tools non domain admin sql permissions.png|link=]]
 
[[File:bcx tools non domain admin sql permissions.png|link=]]
 +
  
 
=='''BCXManagerV4 Directory'''==
 
=='''BCXManagerV4 Directory'''==
  
  
You will then need to add Security Read rights for the group on the BCXManagerV4 Directory
+
You will then need to add Security permissions (Read) for the group on the BCXManagerV4 Directory
 +
 
 +
 
 +
[[File:bcx tools non domain admin manager v4 permissions.png|link=]]
 +
 
  
 +
Remember to then push the shortcut to BCX Management Tools to your new group.
  
Awaiting screenshot
 
  
  
=='''Data Server Access'''==
+
'''That covers the basic operations.'''
 +
 +
'''If you require permissions for Creating Users / Adding Stations / Remote Funcionality, read on.'''
  
  
If you require the group members to view Home Directories from within BCX, you will need to give Security – Read rights on the relevant directories on the User Data server
 
  
 +
=='''Data Server Access'''==
  
Awaiting screenshot
 
  
 +
If you require the group members to view Home Directories from within BCX, you will need to give Security permissions (Read) on the relevant directories on your User Data Server
  
That covers the basic operations.
 
If you require access for Creating users / Adding Stations / Remote Funcionality, read on.
 
  
 +
[[File:bcx tools non domain admin data server permissions.png|link=]]
  
  
Line 58: Line 64:
 
In order to Create/Manage Users you will need to delegate the required rights on specific OUs in AD:
 
In order to Create/Manage Users you will need to delegate the required rights on specific OUs in AD:
  
AD Delegate Rights
+
AD Delegate Rights - Specific User OUs.
Users OUs
+
 
 +
 
 +
[[File:bcx tools non domain admin delegate permissions wizard.png|link=]]
 +
 
 +
 
 +
 
 
Delegate common tasks:
 
Delegate common tasks:
Create, delete. and manage user accounts
 
Reset user passwords and force password change at next logon
 
Read all user information
 
Create, delete and manage groups
 
Modify the membership of a group
 
  
 +
Create, delete and manage user accounts.
 +
 +
Reset user passwords.
 +
 +
Force password change at next logon.
 +
 +
Read all user information.
 +
 +
Create, delete and manage groups.
 +
 +
Modify the membership of a group.
  
Awaiting screenshot
 
  
 +
[[File:bcx tools non domain admin delegate permissions create manage users.png|link=]]
  
  
Line 75: Line 92:
  
 
Similarly to Add/Manage Stations:
 
Similarly to Add/Manage Stations:
AD Delegate Rights
+
 
Stations OUs
+
AD Delegate Rights - Specific Station OUs.
Create a custom task to delegate
+
 
 +
Create a custom task to delegate.
 +
 
 +
 
 +
[[File:bcx tools non domain admin delegate permissions create custom task stations.png|link=]]
 +
 
 +
 
 +
Choose Only the following objects in the folder, and check the box Computer Objects.
 +
 
 +
Check the boxes: 
 +
 
 +
Create selected objects in this folder.
 +
 
 +
Delete selected objects in this folder.
  
  
Awaiting screenshot
+
[[File:bcx tools non domain admin delegate permissions create custom task stations object.png|link=]]
  
  
Choose Only the following objects in the folder and check the box Computer Objects. Check the boxes  Create selected objects in this folder, Delete selected objects in this folder.
+
Permissions – Select checkboxes to show all permissions, and select:
  
 +
Read.
  
Awaiting screenshot
+
Write.
  
 +
Create All Child Objects.
  
Permissions – Select General, Creation/deletion of specific child objects. Select Create All Child Objects, Delete All Child Objects. – Also Read/Write
+
Delete All Child Objects.
  
 +
Read All Properties.
  
Awaiting screenshot
+
Write All Properties.
  
  
 +
[[File:bcx tools non domain admin delegate permissions create custom task stations permissions.png|link=]]
  
  
 
=='''Remote Functions'''==
 
=='''Remote Functions'''==
 +
  
 
There are several Remote functions launchable from BCX:
 
There are several Remote functions launchable from BCX:
Line 105: Line 140:
  
  
RDP rights GPO
+
Create a RDP rights GPO:
 +
 
 +
Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop services - Remote Desktop session Host - Connections - Allow users to connect remotely by using Remote desktop Services.
  
  
Awaiting screenshot
+
[[File:bcx tools non domain admin gpo rdp.png|link=]]
  
  
Awaiting screenshot
+
And add your group to Remote Desktop Users:
  
 +
Computer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups.
  
And add group to Remote Desktop Users
 
  
 +
[[File:bcx tools non domain admin gpo remote desktop users.png|link=]]
  
Awaiting screenshot
 
  
 
=='''Remote browse C$'''==  
 
=='''Remote browse C$'''==  
  
  
Add administrators to above
+
If you wish to allow your group members to access Station C$:
 +
 
 +
Computer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups.
 +
 
 +
Add Administrators as with the RDP policy above.
  
 +
'''Please be aware this will make the group members "Local Admins" of the stations.'''
  
Awaiting screenshot
 
  
 +
[[File:bcx tools non domain admin gpo administrators.png|link=]]
  
  
Line 132: Line 174:
  
  
Awaiting screenshot
+
To enable your group members to Offer Remote Assistance configure the following GPO:
 +
 
 +
Computer Configuration - Policies - Administrative Templates - System - Remote Assistance - Configure Offer Remote Assistance 
 +
 
  
 +
[[File:bcx tools non domain admin gpo remote assistance.png|link=]]
  
  

Latest revision as of 12:24, 18 December 2024


Although BCX Network Management tools were developed to be used by a Domain Admin, there may be instances where you would like non-Domain Admins to be able to use them.

This is possible to varying degrees.

A non-Domain Admin user may open BCX and use limited functions of the software by adding rights on the BCXDB database in SQL.

Use of other functions may be enabled by delegating rights over specific OUs in Active Directory and through the use of GPOs.

The recommended process follows:


User Group

For ease of granting rights, we recommend creating an AD Group for Non-Domain Admin Users (BCXManagerUsers), to which you will add the required user accounts.


bcx tools non domain admin create group.png


SQL

Once created and members assigned, the group can be added to your BCX SQL instance.

Add new logon for BCXManagerUsers group for bcxdb database and db_datareader/db_datawriter database role memberships.


bcx tools non domain admin sql permissions.png


BCXManagerV4 Directory

You will then need to add Security permissions (Read) for the group on the BCXManagerV4 Directory


bcx tools non domain admin manager v4 permissions.png


Remember to then push the shortcut to BCX Management Tools to your new group.


That covers the basic operations.

If you require permissions for Creating Users / Adding Stations / Remote Funcionality, read on.


Data Server Access

If you require the group members to view Home Directories from within BCX, you will need to give Security permissions (Read) on the relevant directories on your User Data Server


bcx tools non domain admin data server permissions.png


Create/Manage Users

In order to Create/Manage Users you will need to delegate the required rights on specific OUs in AD:

AD Delegate Rights - Specific User OUs.


bcx tools non domain admin delegate permissions wizard.png


Delegate common tasks:

Create, delete and manage user accounts.

Reset user passwords.

Force password change at next logon.

Read all user information.

Create, delete and manage groups.

Modify the membership of a group.


bcx tools non domain admin delegate permissions create manage users.png


Add/Manage Stations

Similarly to Add/Manage Stations:

AD Delegate Rights - Specific Station OUs.

Create a custom task to delegate.


bcx tools non domain admin delegate permissions create custom task stations.png


Choose Only the following objects in the folder, and check the box Computer Objects.

Check the boxes:

Create selected objects in this folder.

Delete selected objects in this folder.


bcx tools non domain admin delegate permissions create custom task stations object.png


Permissions – Select checkboxes to show all permissions, and select:

Read.

Write.

Create All Child Objects.

Delete All Child Objects.

Read All Properties.

Write All Properties.


bcx tools non domain admin delegate permissions create custom task stations permissions.png


Remote Functions

There are several Remote functions launchable from BCX:


Remote Desktop connection

Create a RDP rights GPO:

Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop services - Remote Desktop session Host - Connections - Allow users to connect remotely by using Remote desktop Services.


bcx tools non domain admin gpo rdp.png


And add your group to Remote Desktop Users:

Computer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups.


bcx tools non domain admin gpo remote desktop users.png


Remote browse C$

If you wish to allow your group members to access Station C$:

Computer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups.

Add Administrators as with the RDP policy above.

Please be aware this will make the group members "Local Admins" of the stations.


bcx tools non domain admin gpo administrators.png


Remote Assistance

To enable your group members to Offer Remote Assistance configure the following GPO:

Computer Configuration - Policies - Administrative Templates - System - Remote Assistance - Configure Offer Remote Assistance


bcx tools non domain admin gpo remote assistance.png



Return to Contents page