System Administrator Limited Active Directory Rights
Posted on 2010-09-17
I have a customer who would like their IT person to be able to manage computers and access shared data from a W2k3 SQL server and a SBS 2008 Server. This person is currently a domain administrator and their boss would like them to not have access to other users mailboxes but still be able to perform thier daily duties. Woudld removing them from the domain administrators group adding them to the "Domain Power User's" group be the right solution for this? Any shared server resource access will be handled by sharing security, we just do not want them to logon locally to the SBS server or have the ability to look at higher management's email within exchange.