Permissions Question in AD
I have a system admin that I want to lock down his permissions on the network. His role is to support the end users and any issues they are having with their machines or applications. He is also supposed to fix any printer issues that are needed. Here is my dilema. Currently he is a domain admin which I am going to remove him from that group. He does not need that much control. I just need to know which groups to put him in in order to manage the users, add comps to the domain, and handle printer problems. Which groups should I use?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sounds like he will need an account that has local admin rights on the PCs. You can use restricted groups to do that
http://www.frickelsoft.net/blog/?p=13
Create a group call it something like "helpdesk admins" and add that to the local admin group.
Few ways to give him rights to add machines, I like user rights assignment but there are several methods
http://www.windowsitpro.com/article/jsifaq/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-
Are the printers on a print server or are these local printers. The print operators group is an option http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
Thanks
Mike
http://www.frickelsoft.net/blog/?p=13
Create a group call it something like "helpdesk admins" and add that to the local admin group.
Few ways to give him rights to add machines, I like user rights assignment but there are several methods
http://www.windowsitpro.com/article/jsifaq/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-
Are the printers on a print server or are these local printers. The print operators group is an option http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx
Thanks
Mike
ASKER
Perfect I will look at those options but that sounds like it is what I need. I am not sure about the printers as I am joining the company this week. I am not familiar with what they have implemented just yet. I just know I need to lock down the Sys Admin's Account to only provide helpdesk support.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
ASKER