Limiting user rights

Applies To: Windows Server 2008, Windows Server 2008 R2

One way to protect your Windows Media server is to limit the rights of users who have access to the server. For each server user, you should determine the rights required by each and then set the appropriate limits. For example, rather than grant everyone administrator rights and permissions, you can reserve those rights for a few users who need full access to the server, such as information technicians and system managers.

By default, Windows Media Services can only be accessed by users in the Administrators group. To limit user rights effectively while still enabling users to administer Windows Media Services, you can remove users from the Administrators group and then add them to Windows Media Services only. To add users directly to Windows Media Services, you must use Component Services to configure access permissions for the Windows Media Services Component Object Model (COM) object.

You can move the majority of your Windows Media server users to a group, such as the USERS user group, that grants them adequate permissions for performing non-administrative tasks on the server. If you grant users access to the Windows Media Services COM object directly, they can perform most functions in the Windows Media Services snap-in and Windows Media Services Administrator for the Web, such as adding publishing points and monitoring client activity. Limiting the number of users with full rights greatly reduces the potential for security lapses.

To provide a user administrative rights to Windows Media Services

  1. On your server, start the DCOM config utility.

  2. Locate Windows Media Services in the list, and open its properties.

  3. On the Security tab, edit the access permissions.

    The Access Permissions list shows the users and user groups that can administer Windows Media Services.

  4. Add the users or groups that you want to be able to administer Windows Media Services, and then close the dialog boxes.

The new settings will take effect when you restart Windows Media Services.

Note

By default, members of the Administrator group on the server have administrative rights and permissions to Windows Media Services. This procedure is provided to inform you how to grant administrative rights and permissions to Windows Media Services to users who are not system administrators. This can be useful in cases where Windows Media Services is being administered remotely through another program, such as Microsoft Expression Encoder.
To make user administration easier, you can create a new user group by using Computer Management and add the group to the Windows Media Services access permissions list. Then you can use Computer Management to add or remove users from the group, rather than doing so with DCOM config. By creating a new group, you can add or remove users without having to restart Windows Media Services. Groups also enable you to manage user privileges for the whole server at the same time.