StonelaughterMemberOct 18, 2011 at 6:27 am #156529
Hi – I have no idea if anyone remembers me at all, but I come for assistance if you can give it.
I have a reasonably unique situation where our customer are ordering a bare Windows server for purposes unknown (which falls under one team’s responsibility and allows for customer admin access) and are then adding IIS as a feature or role (which changes support ownership and admin access rights). However, they are not telling anyone; and then when a service stops they are holding us responsible for the support and maintenance.
The Managers have decided that the best way around this is to prevent the installation of IIS by anyone but a select group of people in OUR organisation; even if the customer has Admin Access to the box. I have distilled this down into: Prevent non-members of an AD group from adding roles and features to the server.
I have one method, which may be effective but may not; and that would be to prevent access to the “Programs and Features” control panel applet. However, I don’t know if doing this removes the “Roles and Features” portion of the Manage Server window. What I would prefer is to disable the function, rather than the GUI element which supports it.
So – to my question:
Is it possible, via Group Policy, to restrict the use of the “Add Role or Feature” function to a particular subset of users, as listed in an AD group?
You must be logged in to reply to this topic.