Link to home
Start Free TrialLog in
Avatar of mancoi
mancoi

asked on

Lock down a HelpDesk User - A-wall user

I am trying to figure out a way to lock a user down to his location only.
I want this user to only have full ability to manage his servers and his users which are kept in a separate OU.
I want to take him out of the Domain Admins groups and put him into a less powerful group so he cannot touch the infrastructure, but I want him to have the ability to manage his servers and join computers to the domain.
I have looked into Delagation, but do not see anything in there about allowing him access to his servers or to join computers to the domain.
Please let me know your thoughts
ASKER CERTIFIED SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mancoi
mancoi

ASKER

How about logging into a server. If I put him as a domain user and delegate to his OU's the power to add computers and users, how can I limit him to RDP to only his servers which he needs full control.

Also what stops him from just adding himself back to domain admins group?

Avatar of Mike Kline
Mike Kline
Flag of United States of America image
Users can't add themselves to domain admins.  You use restricted groups and only give him admin rights on servers he needs rights on and nothing else.
Avatar of Awinish
Awinish
Flag of India image
You can add the the user in allow the user forremote access in local security policy of that server.
Avatar of mancoi
mancoi

ASKER

I see how I can allow them remote access by adding them locally to the server, but what stops him from changing the Administrator password locally and removing my credentials from the remote desktops group, so I cannot login?
Avatar of mancoi
mancoi

ASKER

Got it, I have to change the local domain controller policy and lock down the Local Terminal Service policy