Manage Learn to apply best practices and optimize your operations.

Windows server access management in Active Directory

With so many ways to manage server access in Active Directory domains, you'll want to learn about some of these Windows security strategies.

I need to move our accounting server down to our server room and put it on the domain. It is currently on a "mini network" in the accounting office. Once I have it on the domain, I need to make it so that only the accounting group, domain admin and backup operator have access to this server. How can I accomplish this? We are on a Windows Server 2003 domain with Active Directory.

There are different levels of Active Directory server access that you can set: access to those coming in through...

network shares, access to those logging on at the console or access to those logging on through a remote desktop session.

You can set access for those coming in through the Windows network by sharing the particular folders of interest. When logged on to the server, right click any folder and select Sharing. Give the share a convenient name, such as "Financial," and set the permissions. You'll most likely want to provide Full Control to Domain Admins and the accounting groups. The Backup Operators group probably won't need control at the share level.

You can also control who has the ability to log on to the console. When you join the server to the domain, the Administrators, Domain Administrators and Backup Operators groups are automatically assigned the permission to log on locally. If you also want members of the Accounting group to have this right, go into the Local Security Policy console from Administrative Tools in the Start menu. Then drill-down into the Local Policies > User Rights Assignment node and find the entry for Allow Log On Locally. You can add the domain Accounting group from there.

And finally, if you want the Accounting group to be able to log on through a Remote Desktop session, then go into the Computer Management console, drill down into System > Local Users and Groups > Groups. Then, add Accounting to the Remote Desktop Users group.

Dig Deeper on Windows legacy operating systems