I have a system admin that I want to lock down his permissions on the network. His role is to support the end users and any issues they are having with their machines or applications. He is also supposed to fix any printer issues that are needed. Here is my dilema. Currently he is a domain admin which I am going to remove him from that group. He does not need that much control. I just need to know which groups to put him in in order to manage the users, add comps to the domain, and handle printer problems. Which groups should I use?