How to Grant Administrator Rights to a User or a Group in ISA Server

This article describes two different methods that you can use to grant either a user or a group of users administrative rights in Internet Security and Acceleration (ISA) Server without adding the users to the Enterprise Administrators group. This article applies only to ISA Server Enterprise Edition-based computers that you install in enterprise mode.

The configuration information is stored in Active Directory so that you can share this information with other ISA Server-based computers that are part of the array. Therefore, the ISA Server administrator must have rights to read and write to Active Directory. You must be part of the Enterprise Administrators group to install ISA Server in enterprise mode.

Method 1

After you install the first ISA Server-based computer as a member of the Enterprise Administrators group, follow these steps:

1. Start ISA Server Microsoft Management Console (MMC), right-click Enterprise, and then click Properties.
2. Click the Security tab, add either the user or the group that you want to administer ISA Server, and then assign the correct permissions.
3. Click Advanced, click the Permissions tab, click either the user or the group that you added in step 2, and then click View/Edit.
4. Click the Object tab, click This object and all child objects in the Apply onto box, and then click OK.

Method 2

WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

1. Install Windows 2000 Support Tools.
2. Start ADSIEdit, click to expand Configuration Container, click to expand CN=Configuration, DC="DCName", DC="DCName", click to expand CN=Services, click to expand CN=FPC, and then click to expand CN=GlobalSettings.
3. Add the users to the Security list for any of the following values that are appropriate to your situation:
   • CN=ArrayPolicyConfigs: If you add users to the Security list for this value, users can modify the enterprise policy for ISA Server.
   • CN=Policies, CN="GUID", CN=Proxy-Access-Rules: If you add users to the Security list for this value, users can either create or modify site and content rules.
   • CN=Policies, CN="GUID", CN=Proxy-Protocol-Rules: If you add users to the Security list for this value, users can either create or modify protocol rules.
4. Click to expand CN=PolicyElements, and then add the users to the Security list for any of the following values that are appropriate to your situation:
   • CN=Client-Sets: If you add users to the Security list for this value, users can create and modify enterprise client computer sets.
   • CN=ContentGroups: If you add users to the Security list for this value, users can create and modify enterprise content groups.
   • CN=Protocols: If you add users to the Security list for this value, users can create and modify enterprise protocol definitions.
   • CN=Proxy-Destination-Sets: If you add users to the Security list for this value, users can create and modify enterprise destination sets.
   • CN=Proxy-Schedule-Templates: If you add users to the Security list for this value, users can create and modify enterprise schedules.
5. Right-click Configuration Container, and then click Update Schema Now.
6. Log on as one of the users, and then start ISA Server MMC to administer the enterprise policies.