If I sell (rent is a better term, maybe) dedicated servers and want to provide a "semi-managed" environment, which consists of patches and reboots and of course hardware maintenence, what type of local user account template should I set up to allow the customer "almost root" access while denying access to the obvious things, like deleting MY admin account, Control Panel>Network access, etc.

Also, is there a W2k template builder utility that will let me build up a box from scratch and then apply a templet that creates this profile? Or should I just build up one box with everything I need and clone it, while keeping it patched and etc.

The only stuff MS offers (GPO templates) seems integrated with AD. I though about just building OU's for each dedicated and setting up AD on my dedicated network and making all servers associate servers (not AD servers) in their own OU, but that seems like a management headache. But a bunch of standalone servers that I have to log in to every time my pasword changes is a hassle, too

Any opinions windows hosters?

Opinion, avoid AD if possible.

Are you not planning on offering full admin rights to your customers?

Just create yourself WinShack admin login and use that to admin the box. Tell your customer if they delete or change the account, that it is no longer a 'semi-managed' box and they are on their own.

I wanted to do both: give full admin (root for you penguins) priveleges EXCEPT the ability to delete my account. I can take the hard line, which I should, and put a boot CD in if they lose their password and my account has been deleted. Eases my problems, huh?

Do you image boot drives or build boxes from scratch?

We build all machines from scratch and custom set-up each box.

Given that the default-Administrator account cannot be deleted - only renamed - why not just use that for yourself, then the customers can not delete your account. They could change your password however.

The other option - which introduces many more complexities - is to create a 'server manager' group, and assign all the rights/priveleges they'll need to that group, while this is possible, I dont think it would be worth the effort. I think the easiest way to do it is to simply tell them not to delete/change your admin account, or they'll be on their own.

Using security templates, profiles and standard configurations - it's possible to setup W2k as a webserver fairly quickly and consitantly. But if you have physical access to the box as you're setting it up, scripting an install would allow you to streamline much of the 'default' setup configuration. I dont think you'd want AD anywhere near a simple webserver. :)

the last time a tried to "record" a windows server setup it ended up being a bigger hassle that doing it by hand each time. Has that gotten better in Win2k? Are there better tools to automate the install of the base os install?

Originally posted by nikko
Has that gotten better in Win2k? Are there better tools to automate the install of the base os install?
Yes.
Install scripts are still much the same, tho they work very well, and can be created very simply and easily.
If you were in a 'network environment' rather than installing a WebServer, the IntelliMirror stuff is also very useful.