Link to home
Create AccountLog in
Avatar of DNOWA
DNOWAFlag for United States of America

asked on

Are most it techs administrators of the domain

I'm the manager of a network and just hired two techs.  I really don't want them to be at the administrator level, however I do need them to install programs and control netconnections, install printers but really don't want them to have access to restricted folders.

What should I do?

Thanks in advance.
ASKER CERTIFIED SOLUTION
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Add your tech staff to a new group and give this group restricted access(deny) on all shares
Add them to printer operator group so that they can manage printeres and print jobs.
Do not make them member of any admins/domain admin/enterprise admin group

for more better controll you can go through task delegation wizard.
http://technet.microsoft.com/es-es/library/cc756087(WS.10).aspx
and offcouse you have to add this group once to each workstation's local admin group as "Leew" said.
Avatar of DNOWA

ASKER

In server 2008 I'm not seeing a delegate option.
If they don't need to manage user accounts, they don't need AD rights and delegate is not necessary.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I would be careful with adding users to any of the built-in groups. You may be giving them permissions that you do not want them to have. For example the print operators group by default has permissions to logon locally to the DCs and shut them down.

http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html
well in this case, add them only to workstation local admin group and this will do ur job.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.