Lock down a HelpDesk User - A-wall user

mancoi
mancoi used Ask the Experts™
on
I am trying to figure out a way to lock a user down to his location only.
I want this user to only have full ability to manage his servers and his users which are kept in a separate OU.
I want to take him out of the Domain Admins groups and put him into a less powerful group so he cannot touch the infrastructure, but I want him to have the ability to manage his servers and join computers to the domain.
I have looked into Delagation, but do not see anything in there about allowing him access to his servers or to join computers to the domain.
Please let me know your thoughts
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
Several ways to delegate joining computers to the domain   http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

You can give him full control of the OU and use restricted groups to add him as an admin to every machine in that OU  http://www.frickelsoft.net/blog/?p=13

Thanks

Mike

Author

Commented:
How about logging into a server. If I put him as a domain user and delegate to his OU's the power to add computers and users, how can I limit him to RDP to only his servers which he needs full control.

Also what stops him from just adding himself back to domain admins group?

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2013

Commented:
Users can't add themselves to domain admins.  You use restricted groups and only give him admin rights on servers he needs rights on and nothing else.

Commented:
You can add the the user in allow the user forremote access in local security policy of that server.

Author

Commented:
I see how I can allow them remote access by adding them locally to the server, but what stops him from changing the Administrator password locally and removing my credentials from the remote desktops group, so I cannot login?

Author

Commented:
Got it, I have to change the local domain controller policy and lock down the Local Terminal Service policy

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial