delegate control to a domain user without letting him have access to AD


I want to install Symantec Endpoint Protection Manager on my domain controller (whether it's a good idea or not), and i want to let a domain user to manage it, so i want to give him permission to be able to connect to the server RDP, and manage the antivirus manager, but i don't want him to be able to do anything more like messing arround the AD or any other role, just the ability to manage that manager and log off, how can i do that ?
(i'm using windows server 2008 R2 btw)

Thanks !
Who is Participating?
Well first of all you should install a copy of the console on the user's desktop so RDP isn't necessary. Will need to check documentation for access to Symantec. It is also possible to give access to ALL Domain Controllers by adding to the domain Remote Desktop users group. That doesn't require domain admin rights.
Chris DentPowerShell DeveloperCommented:

You cannot. Sorry.

If it were anything but a Domain Controller you'd stand a chance, but it's not, so you're a bit out of luck I'm afraid.

if you install semantic end point protection manager on domain controller so you will face a lot of problems with your clients which are the members of domain controller, i had a very bad experience with this. when i installed that i had several issue and finally decided to remove that.

what i would suggest is to install that on normal comptuer and give local admin access to any of your guys and let him to manage.
Anyhow if you really want to install on the domain controller you can put the user in the group "your domain\Remote Desktop Users". That way he can logon to the DC but has no administrative rights on it. Though this is definitely not best practice I guess you should be pretty safe that way.
Chris DentPowerShell DeveloperCommented:

> It is also possible to give access to ALL Domain Controllers by adding to the domain Remote Desktop users group.
> That doesn't require domain admin rights.

By default local security policy on Domain Controllers (via Default Domain Controllers Policy) only grants RDP access to members of the Administrators group. Allow log on locally is marginally less restrictive, but I can't really recommend making the user into that.

I like your first suggestion though, local copy of the console is preferable :)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.