System Administrator Limited Active Directory Rights
I have a customer who would like their IT person to be able to manage computers and access shared data from a W2k3 SQL server and a SBS 2008 Server. This person is currently a domain administrator and their boss would like them to not have access to other users mailboxes but still be able to perform thier daily duties. Woudld removing them from the domain administrators group adding them to the "Domain Power User's" group be the right solution for this? Any shared server resource access will be handled by sharing security, we just do not want them to logon locally to the SBS server or have the ability to look at higher management's email within exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If then Add them to Deny logon locally
http://technet.microsoft.com/en-us/library/cc957048.aspx
They do not have any exchnage permission, if they want in near future then
http://support.microsoft.com/kb/823018
http://technet.microsoft.com/en-us/library/cc957048.aspx
They do not have any exchnage permission, if they want in near future then
http://support.microsoft.com/kb/823018
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
a combination of all of these is what i will do.
ASKER