Minimizing Permission's of Users Who Do Not Need To Be Domain Admins

I need some good advise about the following situation.  I have two users in our company who are currently Domain Admins.  Neither one of these guys should have these rights, but I have not figured out a way to give them what theey need without giving them these priviledges.  Here is what they need to do:

1.  Modify workstations; load software, add and remove from AD.
2.  Access only those servers that pertain to their specific areas of the company - I want to give them access, but not the ability to manipulate the system (i.e. load software, etc).
3.  Change user properties in the AD.
LVL 3
isd503Asked:
Who is Participating?
 
jss1199Commented:
Hi isd503,

1.  Load software/modify workstation - LOCAL admins on the workstations.  Add/Remove from AD, grant their user accounts rights using the Delegation Wizard - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ELD

2.  You will need to be more specific here.  you do not want them to install.remove software but they need access - what level of access?  Files?  RDP?  If files, modify share and NTFS permissions to allow.  If they need to reach the server desktop, remove them from local admin and domain admin and add them to the Remote Desktop Users group of the server.

3.  Use the rights delegation wizard - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ELD



Cheers!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.