How best to assignprivilege to IT officer?

I run a Windows 2003 server in a small enterprise with about 40 users. I onlyt have one IT technician. I want him to be able to perform some task and not the others.
Specifically I want him to be able to:

Manage AD to add and edit users.
Perform back ups.

I do not want him to be able to change the DHCP and DNS settings.

Please recommend how best to assign him privilege. I tried put him in Domain admin group, but that just gives him all the privilege. I want something more limited.
Who is Participating?
For the editing user accounts part, you first want to create a group called "AD User Management" or something like that. Assign the rights to the group and make this one user a member of that group. Then use the Delegation control wizard to give that groups rights to add/edit/delete user accounts in a certain OU or for the whole domain.

As for rights to run the backup, the rights do depend on how your backup software plays with rights. With NTBackup, you should be able to make this user a member of the Backup Operators group. With Veritas (Symantec) Backup Exec, I believe it has its own internal authentication in addition to the windows rights.
Hi SC2002Admin,

if you dont want him touching DHCP and DNS remove him from those operator groups as well
SC2002AdminAuthor Commented:
Thanks. I noticed that if the person do not belong to Domain admin group, then he cannot log on the server machine. What to do in this case?

Should the user be allow to log on the server computer? or is there another (better) way?
better off would be installing the adminpak on his machine and let him manager from there......

but if you want him to log on to the server, then you need to edit your default domain controller policy to allow him to logon locally under user rights assignment
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.