Service Desk Server Permissions

✨ Quic broadband | Apple TV | Samsung | AliExpress | Wise | Sharesies

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › IT Pro and developers › Service Desk Server Permissions

Oriphix

523 posts

Ultimate Geek
+1 received by user: 32

#142906 28-Mar-2014 09:31

Hi All,

I am currently looking at improving and securing our IT service desk access to servers.

I tried to find what other companies currently give access to there service desk however I couldn't find anything.

General requests are resetting passwords, folder permissions, restarting print spoolers, creating new AD users / exchange mailboxes

Currently the accounts have domain admin so they can do everything.

I would like to remove the following:

- Shutting down / restarting servers
- Installation of programmes

Does anyone know what else I could remove or what other companies have in place currently as a standard?

Thanks.

Steve113

100 posts

Master Geek
+1 received by user: 3

#1015100 29-Mar-2014 16:04

Send private message

Hi Mate,
There are multiple ways to do this. With security permissions\enhancements generally you're best practice is to start with a tight set of permissions and work your way up from there as needed. Personally i would start by removing DA access and look at setting up Active directory groups that are a member of the local server groups you want SD to gain access to.
For example if you setup an AD group called 'SD-Power Users' and make that group a member of the local 'Power Users' group on your servers via policy. Then you can add the service desk accounts as members of this group.
http://technet.microsoft.com/en-us/library/cc785098(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc773320(v=ws.10).aspx

If you then decide that Power Users has shutdown rights or other rights that you want to restrict then you can load up
Start-->Run-->secpol.msc
Navigate to:
Security Settings\Local Policies\User Rights Assignment
Shut down the system (remove the group from there)
http://technet.microsoft.com/en-us/library/dn221963.aspx

Another way is to setup a matrix like chart of the access level you want to grant vs whats being offered by the default local groups in Windows and fine tune it via 'User Rights Assignment'.
With Active Directory you can look at setting delegate access to Certain AD containers that the service desk can add\remove\move from rather than the entire forest.
With File Server permissions again you can set up multiple AD groups that have restricted NTFS access to the File Server (i.e. only allow access to the root path of profiles)

It all depends on how granular you want to get and to find the 'right' balance between local group rights and User Rights Assignment rights.

News and reviews »

New ECOVACS DEEBOT T80S OMNI Available Now
Posted 9-Apr-2026 11:11

Ring Brings 4K Video to Battery-Powered Doorbells
Posted 9-Apr-2026 11:01

Synology Announces a New Privacy-First Home Monitoring Experience for BeeStation Plus
Posted 9-Apr-2026 10:02

GIGABYTE X870E AERO X3D DARK WOOD Redefines the Motherboard
Posted 7-Apr-2026 14:06

Datacom Acquires Auckland Data Centre from T4
Posted 2-Apr-2026 09:43

Spark Launches Satellite Service with SMS and data options
Posted 2-Apr-2026 09:16

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Support Geekzone »

You can support Geekzone with a one-off or recurring donation via PressPatron.

RSS feeds: Main feed; Forums feed
Copyright: ©2002-2026 Geekzone®

Site features: Geekzone BI dashboard; Geekzone Badges; Geekzone Status Page

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising; Trademark and copyright