Choosing appropriate group memberships for RIS administrators

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Choosing appropriate group membership for RIS administrators

If there are people in your organization whose responsibilities include configuring Remote Installation Services (RIS) servers and creating installation images, make those people members of an administrative group such as Domain Admins or Enterprise Admins. This will allow them to carry out all RIS configuration tasks. For the single task of completing installation of a RIS server in a way that authorizes the RIS server in Active Directory, membership in Enterprise Admins is required. For more information about authorization, see Remote Installation Services server authorization.

Administrators in your organization should also be provided with user accounts that are not in any administrative group. With such accounts, administrators can follow the security best practice of logging on as a user and then using Run as to perform administrative tasks. For more information, see Using Run as and Create a shortcut using the runas command.

Whenever possible, choose group memberships and assign permissions in a way that provides only necessary access to domain accounts and resources. For example, perhaps there are people in your organization whose responsibilities include managing accounts and permissions, but do not include configuring RIS servers or creating client installation images. Instead of giving these people membership in a group such as Domain Admins or Enterprise Admins, give then membership in a group such as Account Operators and grant them permissions for folders on the RIS server. For more information, see Default local groups and Default groups.

The following table illustrates the group membership and permissions required for people who manage only the tasks of RIS related to permissions, computer accounts, and user accounts:

Tasks Permission or group membership required for the administrator who performs those tasks

Managing client installation images, including:

  • Associating an unattended setup answer file with an installation image.

  • Allowing or preventing the installing of a RIS image by a user or group.

  • Allowing or preventing the viewing and installing of a RIS image by a user or group.

For more information about these tasks, see:

Full Control on the Images folder, or on one or more subfolders within the Images folder.

For more information, about setting this permission, see:

Managing accounts in domains where prestaging is used, including:

  • Prestaging client computers.

  • Setting permissions required by RIS users who use prestaged client computers.

  • Removing an account for a computer that is no longer being prestaged.

For more information about these tasks, see:

Membership in Account Operators.

For more information, see:

Note

  • This topic does not apply to Windows Server 2003, Web Edition.