So, here's the deal...
I have a client who has a remote office with a manager who likes to tinker and was in charge of managing their separate network before we came in. He wants to be able to add users, reset passwords, and add computers to the domain. I'd rather not do this, but he insists.
When I set up a new account and either delegate those privileges or add the account to the Account Operators group, I am still unable to open the Windows SBS 2008 console because the account isn't an administrator. The account can open Active Directory Users and Computers, but not the sbs console. A UAC prompt rears its head every time.
Is there a way to do this? I just want to give him minimal privileges, but I can't figure out how. Any advice? I'd like to use delegation rather than adding to the Account Operator group.
I'm not going to make him an admin, so it's either this or nothing.
Thanks for any input.