Difference between revisions of "BCX Network Management Tools Non Domain Admin Access"
m |
|||
(12 intermediate revisions by the same user not shown) | |||
Line 18: | Line 18: | ||
[[File:bcx tools non domain admin create group.png|link=]] | [[File:bcx tools non domain admin create group.png|link=]] | ||
+ | |||
=='''SQL'''== | =='''SQL'''== | ||
Line 28: | Line 29: | ||
[[File:bcx tools non domain admin sql permissions.png|link=]] | [[File:bcx tools non domain admin sql permissions.png|link=]] | ||
+ | |||
=='''BCXManagerV4 Directory'''== | =='''BCXManagerV4 Directory'''== | ||
Line 36: | Line 38: | ||
[[File:bcx tools non domain admin manager v4 permissions.png|link=]] | [[File:bcx tools non domain admin manager v4 permissions.png|link=]] | ||
+ | |||
+ | |||
+ | Remember to then push the shortcut to BCX Management Tools to your new group. | ||
+ | |||
+ | |||
+ | |||
+ | '''That covers the basic operations.''' | ||
+ | |||
+ | '''If you require permissions for Creating Users / Adding Stations / Remote Funcionality, read on.''' | ||
+ | |||
+ | |||
=='''Data Server Access'''== | =='''Data Server Access'''== | ||
Line 45: | Line 58: | ||
[[File:bcx tools non domain admin data server permissions.png|link=]] | [[File:bcx tools non domain admin data server permissions.png|link=]] | ||
− | |||
− | |||
− | |||
− | |||
− | |||
=='''Create/Manage Users'''== | =='''Create/Manage Users'''== | ||
Line 57: | Line 65: | ||
AD Delegate Rights - Specific User OUs. | AD Delegate Rights - Specific User OUs. | ||
+ | |||
[[File:bcx tools non domain admin delegate permissions wizard.png|link=]] | [[File:bcx tools non domain admin delegate permissions wizard.png|link=]] | ||
Line 78: | Line 87: | ||
[[File:bcx tools non domain admin delegate permissions create manage users.png|link=]] | [[File:bcx tools non domain admin delegate permissions create manage users.png|link=]] | ||
+ | |||
=='''Add/Manage Stations'''== | =='''Add/Manage Stations'''== | ||
Line 119: | Line 129: | ||
[[File:bcx tools non domain admin delegate permissions create custom task stations permissions.png|link=]] | [[File:bcx tools non domain admin delegate permissions create custom task stations permissions.png|link=]] | ||
+ | |||
=='''Remote Functions'''== | =='''Remote Functions'''== | ||
+ | |||
There are several Remote functions launchable from BCX: | There are several Remote functions launchable from BCX: | ||
Line 142: | Line 154: | ||
[[File:bcx tools non domain admin gpo remote desktop users.png|link=]] | [[File:bcx tools non domain admin gpo remote desktop users.png|link=]] | ||
+ | |||
=='''Remote browse C$'''== | =='''Remote browse C$'''== | ||
+ | |||
If you wish to allow your group members to access Station C$: | If you wish to allow your group members to access Station C$: | ||
Line 151: | Line 165: | ||
Add Administrators as with the RDP policy above. | Add Administrators as with the RDP policy above. | ||
− | Please be aware this will make the | + | '''Please be aware this will make the group members "Local Admins" of the stations.''' |
[[File:bcx tools non domain admin gpo administrators.png|link=]] | [[File:bcx tools non domain admin gpo administrators.png|link=]] | ||
+ | |||
=='''Remote Assistance'''== | =='''Remote Assistance'''== | ||
+ | |||
To enable your group members to Offer Remote Assistance configure the following GPO: | To enable your group members to Offer Remote Assistance configure the following GPO: |
Latest revision as of 12:24, 18 December 2024
Although BCX Network Management tools were developed to be used by a Domain Admin, there may be instances where you would like non-Domain Admins to be able to use them.
This is possible to varying degrees.
A non-Domain Admin user may open BCX and use limited functions of the software by adding rights on the BCXDB database in SQL.
Use of other functions may be enabled by delegating rights over specific OUs in Active Directory and through the use of GPOs.
The recommended process follows:
Contents
User Group
For ease of granting rights, we recommend creating an AD Group for Non-Domain Admin Users (BCXManagerUsers), to which you will add the required user accounts.
SQL
Once created and members assigned, the group can be added to your BCX SQL instance.
Add new logon for BCXManagerUsers group for bcxdb database and db_datareader/db_datawriter database role memberships.
BCXManagerV4 Directory
You will then need to add Security permissions (Read) for the group on the BCXManagerV4 Directory
Remember to then push the shortcut to BCX Management Tools to your new group.
That covers the basic operations.
If you require permissions for Creating Users / Adding Stations / Remote Funcionality, read on.
Data Server Access
If you require the group members to view Home Directories from within BCX, you will need to give Security permissions (Read) on the relevant directories on your User Data Server
Create/Manage Users
In order to Create/Manage Users you will need to delegate the required rights on specific OUs in AD:
AD Delegate Rights - Specific User OUs.
Delegate common tasks:
Create, delete and manage user accounts.
Reset user passwords.
Force password change at next logon.
Read all user information.
Create, delete and manage groups.
Modify the membership of a group.
Add/Manage Stations
Similarly to Add/Manage Stations:
AD Delegate Rights - Specific Station OUs.
Create a custom task to delegate.
Choose Only the following objects in the folder, and check the box Computer Objects.
Check the boxes:
Create selected objects in this folder.
Delete selected objects in this folder.
Permissions – Select checkboxes to show all permissions, and select:
Read.
Write.
Create All Child Objects.
Delete All Child Objects.
Read All Properties.
Write All Properties.
Remote Functions
There are several Remote functions launchable from BCX:
Remote Desktop connection
Create a RDP rights GPO:
Computer Configuration - Policies - Administrative Templates - Windows Components - Remote Desktop services - Remote Desktop session Host - Connections - Allow users to connect remotely by using Remote desktop Services.
And add your group to Remote Desktop Users:
Computer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups.
Remote browse C$
If you wish to allow your group members to access Station C$:
Computer Configuration - Policies - Windows Settings - Security Settings - Restricted Groups.
Add Administrators as with the RDP policy above.
Please be aware this will make the group members "Local Admins" of the stations.
Remote Assistance
To enable your group members to Offer Remote Assistance configure the following GPO:
Computer Configuration - Policies - Administrative Templates - System - Remote Assistance - Configure Offer Remote Assistance
Return to Contents page