Administrator permissions in windows server

Hi Guys

our company has just employed someone to work alongside myself. the role of this person is to provide desktop support for our employees. so will need to login to the computers with administrator permissions to carry out software installs etc. at the moment i have added the user to the domain administrator group users on our domain controller active directory.

Not certain that this is the way forward for a new starter but i understand that there has to be an element of trust. but thinking in the companys interest i have to have forward think the scenerio. as previously mentioned the user is for desktop support but nothing higher than that. so anything higher network / server related must be done by myself. the user will do windows installs and setup softwares and join onto the computer onto the domain through (computer name / domain change on the local computer)

does this mean the user has to have the ultimate admin access to the domain or is there a lesser permission. i think sometimes a junior admin may feel the temptation to try something without realising the disaster that may happen from ones actions and this is what i am trying to prevent although i know educating is probably the best approach.
Who is Participating?
Instead of modifying AD permissions, you can just make the person's account a member of the domain group Account Operators to be able to manage accounts.

I would not create a local account on all of the workstations. Rather, I would create a domain local account "Workstation Admins" and make Domain Admins and the account of your new desktop support person members. Use the restricted groups function of group policies to make the domain group Workstation Admins and the local .\administrator members of the local Administrators group. Apply the group policy only to OUs containing workstations. It should not be applied to the Domain Controllers OU or any OUs containing your servers.
I'm not sure if you have a local admin account set up on end-users' machines or not, but this is how we do it for our helpdesk staff.  Then you can follow this KB, to ensure you delegate the proper permissions required by the junior admin.

Be sure to include the 'Write Account Restrictions' permission, so that the junior admin can reset users' passwords and force them to change it during the next logon.
Just in case, here is a quick guide to help set up a local user account via group policy.  If you currently don't have a local admin account for end-user machines, then you can deploy one from here.
TG-SteveAuthor Commented:
good advice guys i have toyed arround with the idea and have it penned in to have tested with offsite support mid month
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.