delegate control to a domain user without letting him have access to AD


I want to install Symantec Endpoint Protection Manager on my domain controller (whether it's a good idea or not), and i want to let a domain user to manage it, so i want to give him permission to be able to connect to the server RDP, and manage the antivirus manager, but i don't want him to be able to do anything more like messing arround the AD or any other role, just the ability to manage that manager and log off, how can i do that ?
(i'm using windows server 2008 R2 btw)

Thanks !
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

You cannot. Sorry.

If it were anything but a Domain Controller you'd stand a chance, but it's not, so you're a bit out of luck I'm afraid.

Well first of all you should install a copy of the console on the user's desktop so RDP isn't necessary. Will need to check documentation for access to Symantec. It is also possible to give access to ALL Domain Controllers by adding to the domain Remote Desktop users group. That doesn't require domain admin rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
if you install semantic end point protection manager on domain controller so you will face a lot of problems with your clients which are the members of domain controller, i had a very bad experience with this. when i installed that i had several issue and finally decided to remove that.

what i would suggest is to install that on normal comptuer and give local admin access to any of your guys and let him to manage.
Anyhow if you really want to install on the domain controller you can put the user in the group "your domain\Remote Desktop Users". That way he can logon to the DC but has no administrative rights on it. Though this is definitely not best practice I guess you should be pretty safe that way.
Chris DentPowerShell DeveloperCommented:

> It is also possible to give access to ALL Domain Controllers by adding to the domain Remote Desktop users group.
> That doesn't require domain admin rights.

By default local security policy on Domain Controllers (via Default Domain Controllers Policy) only grants RDP access to members of the Administrators group. Allow log on locally is marginally less restrictive, but I can't really recommend making the user into that.

I like your first suggestion though, local copy of the console is preferable :)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.