mancoi
asked on
Lock down a HelpDesk User - A-wall user
I am trying to figure out a way to lock a user down to his location only.
I want this user to only have full ability to manage his servers and his users which are kept in a separate OU.
I want to take him out of the Domain Admins groups and put him into a less powerful group so he cannot touch the infrastructure, but I want him to have the ability to manage his servers and join computers to the domain.
I have looked into Delagation, but do not see anything in there about allowing him access to his servers or to join computers to the domain.
Please let me know your thoughts
I want this user to only have full ability to manage his servers and his users which are kept in a separate OU.
I want to take him out of the Domain Admins groups and put him into a less powerful group so he cannot touch the infrastructure, but I want him to have the ability to manage his servers and join computers to the domain.
I have looked into Delagation, but do not see anything in there about allowing him access to his servers or to join computers to the domain.
Please let me know your thoughts
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How about logging into a server. If I put him as a domain user and delegate to his OU's the power to add computers and users, how can I limit him to RDP to only his servers which he needs full control.
Also what stops him from just adding himself back to domain admins group?
Also what stops him from just adding himself back to domain admins group?
Users can't add themselves to domain admins. You use restricted groups and only give him admin rights on servers he needs rights on and nothing else.
You can add the the user in allow the user forremote access in local security policy of that server.
ASKER
I see how I can allow them remote access by adding them locally to the server, but what stops him from changing the Administrator password locally and removing my credentials from the remote desktops group, so I cannot login?
ASKER
Got it, I have to change the local domain controller policy and lock down the Local Terminal Service policy
http://support.microsoft.com/kb/251335
http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/37/Default.aspx