Minimizing Permission's of Users Who Do Not Need To Be Domain Admins

Posted on 2006-04-07
Last Modified: 2012-05-05
I need some good advise about the following situation.  I have two users in our company who are currently Domain Admins.  Neither one of these guys should have these rights, but I have not figured out a way to give them what theey need without giving them these priviledges.  Here is what they need to do:

1.  Modify workstations; load software, add and remove from AD.
2.  Access only those servers that pertain to their specific areas of the company - I want to give them access, but not the ability to manipulate the system (i.e. load software, etc).
3.  Change user properties in the AD.
Question by:isd503
    1 Comment
    LVL 19

    Accepted Solution

    Hi isd503,

    1.  Load software/modify workstation - LOCAL admins on the workstations.  Add/Remove from AD, grant their user accounts rights using the Delegation Wizard -

    2.  You will need to be more specific here.  you do not want them to install.remove software but they need access - what level of access?  Files?  RDP?  If files, modify share and NTFS permissions to allow.  If they need to reach the server desktop, remove them from local admin and domain admin and add them to the Remote Desktop Users group of the server.

    3.  Use the rights delegation wizard -


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now