Administrator permissions in windows server

Hi Guys

our company has just employed someone to work alongside myself. the role of this person is to provide desktop support for our employees. so will need to login to the computers with administrator permissions to carry out software installs etc. at the moment i have added the user to the domain administrator group users on our domain controller active directory.

Not certain that this is the way forward for a new starter but i understand that there has to be an element of trust. but thinking in the companys interest i have to have forward think the scenerio. as previously mentioned the user is for desktop support but nothing higher than that. so anything higher network / server related must be done by myself. the user will do windows installs and setup softwares and join onto the computer onto the domain through (computer name / domain change on the local computer)

does this mean the user has to have the ultimate admin access to the domain or is there a lesser permission. i think sometimes a junior admin may feel the temptation to try something without realising the disaster that may happen from ones actions and this is what i am trying to prevent although i know educating is probably the best approach.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I'm not sure if you have a local admin account set up on end-users' machines or not, but this is how we do it for our helpdesk staff.  Then you can follow this KB, to ensure you delegate the proper permissions required by the junior admin.

Be sure to include the 'Write Account Restrictions' permission, so that the junior admin can reset users' passwords and force them to change it during the next logon.
Just in case, here is a quick guide to help set up a local user account via group policy.  If you currently don't have a local admin account for end-user machines, then you can deploy one from here.
Instead of modifying AD permissions, you can just make the person's account a member of the domain group Account Operators to be able to manage accounts.

I would not create a local account on all of the workstations. Rather, I would create a domain local account "Workstation Admins" and make Domain Admins and the account of your new desktop support person members. Use the restricted groups function of group policies to make the domain group Workstation Admins and the local .\administrator members of the local Administrators group. Apply the group policy only to OUs containing workstations. It should not be applied to the Domain Controllers OU or any OUs containing your servers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TG-SteveAuthor Commented:
good advice guys i have toyed arround with the idea and have it penned in to have tested with offsite support mid month
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.