Permissions Question in AD

Posted on 2011-10-18
Last Modified: 2012-05-12
I have a system admin that I want to lock down his permissions on the network.  His role is to support the end users and any issues they are having with their machines or applications.  He is also supposed to fix any printer issues that are needed.  Here is my dilema.  Currently he is a domain admin which I am going to remove him from that group.  He does not need that much control.  I just need to know which groups to put him in in order to manage the users, add comps to the domain, and handle printer problems.  Which groups should I use?
Question by:mrwarejr
    LVL 9

    Assisted Solution

    You can use Group Policy to give him local admin rights to all workstations:

    Author Comment

    That is great to just give him local admin rights.  What about allowing him to add comps to the domain.  What group will allow him that without giving him too much control?
    LVL 57

    Expert Comment

    by:Mike Kline
    Sounds like he will need an account that has local admin rights on the PCs.  You can use restricted groups to do that

    Create a group call it something like "helpdesk admins" and add that to the local admin group.

    Few ways to give him rights to add machines, I like user rights assignment but there are several methods

    Are the printers on a print server or are these local printers.  The print operators group is an option



    Author Comment

    Perfect I will look at those options but that sounds like it is what I need.  I am not sure about the printers as I am joining the company this week.  I am not familiar with what they have implemented just yet.  I just know I need to lock down the Sys Admin's Account to only provide helpdesk support.
    LVL 9

    Accepted Solution

    I believe you  need to create one OU and put this perticular admin in it and apply all the Group Policy permissions that you want to. If some point of a time you want to increase his privilages then you just need to move profile to Admin groups...
    LVL 27

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    Don't lose your head updating email signatures!

    Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users should you!

    Join & Write a Comment

    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now