How best to assignprivilege to IT officer?

Posted on 2006-05-14
Medium Priority
Last Modified: 2010-04-18
I run a Windows 2003 server in a small enterprise with about 40 users. I onlyt have one IT technician. I want him to be able to perform some task and not the others.
Specifically I want him to be able to:

Manage AD to add and edit users.
Perform back ups.

I do not want him to be able to change the DHCP and DNS settings.

Please recommend how best to assign him privilege. I tried put him in Domain admin group, but that just gives him all the privilege. I want something more limited.
Question by:SC2002Admin
  • 2

Accepted Solution

llefebure earned 150 total points
ID: 16677957
For the editing user accounts part, you first want to create a group called "AD User Management" or something like that. Assign the rights to the group and make this one user a member of that group. Then use the Delegation control wizard to give that groups rights to add/edit/delete user accounts in a certain OU or for the whole domain.

As for rights to run the backup, the rights do depend on how your backup software plays with rights. With NTBackup, you should be able to make this user a member of the Backup Operators group. With Veritas (Symantec) Backup Exec, I believe it has its own internal authentication in addition to the windows rights.
LVL 48

Expert Comment

ID: 16679035
Hi SC2002Admin,

if you dont want him touching DHCP and DNS remove him from those operator groups as well

Author Comment

ID: 16679975
Thanks. I noticed that if the person do not belong to Domain admin group, then he cannot log on the server machine. What to do in this case?

Should the user be allow to log on the server computer? or is there another (better) way?
LVL 48

Expert Comment

ID: 16679988
better off would be installing the adminpak on his machine and let him manager from there......

but if you want him to log on to the server, then you need to edit your default domain controller policy to allow him to logon locally under user rights assignment

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question