Lock down a HelpDesk User - A-wall user

I am trying to figure out a way to lock a user down to his location only.
I want this user to only have full ability to manage his servers and his users which are kept in a separate OU.
I want to take him out of the Domain Admins groups and put him into a less powerful group so he cannot touch the infrastructure, but I want him to have the ability to manage his servers and join computers to the domain.
I have looked into Delagation, but do not see anything in there about allowing him access to his servers or to join computers to the domain.
Please let me know your thoughts
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Several ways to delegate joining computers to the domain   http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx

You can give him full control of the OU and use restricted groups to add him as an admin to every machine in that OU  http://www.frickelsoft.net/blog/?p=13



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mancoiAuthor Commented:
How about logging into a server. If I put him as a domain user and delegate to his OU's the power to add computers and users, how can I limit him to RDP to only his servers which he needs full control.

Also what stops him from just adding himself back to domain admins group?

Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Mike KlineCommented:
Users can't add themselves to domain admins.  You use restricted groups and only give him admin rights on servers he needs rights on and nothing else.
You can add the the user in allow the user forremote access in local security policy of that server.
mancoiAuthor Commented:
I see how I can allow them remote access by adding them locally to the server, but what stops him from changing the Administrator password locally and removing my credentials from the remote desktops group, so I cannot login?
mancoiAuthor Commented:
Got it, I have to change the local domain controller policy and lock down the Local Terminal Service policy
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Project Management

From novice to tech pro — start learning today.