I have a new hire. I would like to allow her the ability to remotely login to domain controllers to reset passwords and create accounts in Active Directory. I have her in the account operator,domain users and remote desktop group. When I attempt to login via RDP the server responds:
To log on to this remote computer, you must be granted the Allow log on through
Terminal Services right. By degault, members of the remote desktop
users group have this right. If you are not a member of the remote desktop users group
or another group that has this right, of if the remote desktop user group does not have this
right, you must be granted this right manually.
I want to restrict this user so she can't install software or make any changes to the server and I don't want to relinquish the admin account. What would be the most practical Active Directory group membership assignment?