Server Limited Administrator Rights

Companies have to manage Administrator rights to their technology resources effectively. Giving everyone in an organization Administrator rights is risky and can potentially result in a huge IT security breach and other technical issues. Operating system and other software applications have mechanisms in place that allow organizations to determine who can execute full or limited Administrator rights.

The HP CR server platform and its services support limited Administrator rights. You can set up limited Administrator rights for user accounts that need to perform specific server-related services. User accounts with limited Administrator rights cannot install or upgrade the server.

Before you begin

Plan and determine your groups, user accounts, and limited Administrator rights appropriately. You must have Administrator rights to install or upgrade the Server, Device Client, and WebApps before limiting Administrator rights for other user accounts. After completing a server installation or upgrade then limit the Administrator rights by performing the steps listed below.

Requirements

You must create an HPCRLimitedGroup that will have the user accounts and limited Administrator rights (permissions). You must then move the user accounts; for example, HPCRLimited to the HPCRLimitedGroup after completing the installation. The HPCRLimitedGroup will also be used for the Folder and Registry permissions. Any additional user accounts related to limited Administrator rights must be moved to the appropriate .HPCRLimitedGroup.

Note: The Group and User Account names used in the requirements and instructions are examples. Use your own group and user account names, if necessary.

To set up limited Administrator rights

Setting up limited Administrator rights group and user accounts

Using the Active Directory Users and Computers MMC, create the HPCRLimitedGroup.
Add HPCRLimited to the local Admin group.
Log on as HPCRLimited and install the following applications.

Server
Device Client
WebApps

Using the Windows Administrative Tools > Services MMC, stop Upland Services.
Log on as Administrator.
Remove HPCRLimitedGroup from the local Admin group.
Add HPCRLimitedGroup to HPCRLimitedGroup (Active Directory Security Group).

Note: You are adding HPCRLimited to HPCRLimitedGroup as an Active Directory Security Group.

Adding security assignments and permissions using HPCRLimitedGroup

Add to the following local security assignments.

Logon as a service
Batch job
Allow logon locally
Act as part of the OS

Note: Ensure the Logon as a service and Batch job security assignments have not been added to the designated user account during the server installation.

Add explicit permissions to the C:\Program Files (x86)\ HP Capture and Routefolder.
Using File Explorer, give HPCRLimitedGroup full control to the following Registry keys.

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Omtool
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName

Add the following groups or users to all four levels of DCOM.

HPCRLimitedGroup
SYSTEM
INTERACTIVE

Restarting the system

Restart the system where the server is located after all steps are completed.

Configuring the SMTP connector > Inetpub\mailroot folder

Using the Server Administrator tree, select Connectors.
Right-click the SMTP Connector in the Connectors details pane.
Select the Properties > General > Advanced button.
In the Mail Root folders section, select the Override servers default Inetpub\mailroot folder check box.
Click Add. The Mail Root Folder Properties dialog box appears.
Select the Ellipsis (…) button, browse, and select the default SMTP Mail Root folder.
Click OK on the Mail Root Folder Properties dialog box.
Click OK on the Advanced SMTP Configuration dialog box.
Click OK on the Properties for SMTP on the Server dialog box.
Using File Explorer, find the Intepub\mailroot folder, and give the HPCRLimitedGroup full control to the mailroot folder.