• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 188
  • Last Modified:

Permissions Question in AD

I have a system admin that I want to lock down his permissions on the network.  His role is to support the end users and any issues they are having with their machines or applications.  He is also supposed to fix any printer issues that are needed.  Here is my dilema.  Currently he is a domain admin which I am going to remove him from that group.  He does not need that much control.  I just need to know which groups to put him in in order to manage the users, add comps to the domain, and handle printer problems.  Which groups should I use?
0
mrwarejr
Asked:
mrwarejr
2 Solutions
 
bill_lynchCommented:
You can use Group Policy to give him local admin rights to all workstations:

http://www.frickelsoft.net/blog/?p=13
0
 
mrwarejrAuthor Commented:
That is great to just give him local admin rights.  What about allowing him to add comps to the domain.  What group will allow him that without giving him too much control?
0
 
Mike KlineCommented:
Sounds like he will need an account that has local admin rights on the PCs.  You can use restricted groups to do that

http://www.frickelsoft.net/blog/?p=13

Create a group call it something like "helpdesk admins" and add that to the local admin group.

Few ways to give him rights to add machines, I like user rights assignment but there are several methods  

http://www.windowsitpro.com/article/jsifaq/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-

Are the printers on a print server or are these local printers.  The print operators group is an option   http://technet.microsoft.com/en-us/library/cc756898(WS.10).aspx

Thanks


Mike
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mrwarejrAuthor Commented:
Perfect I will look at those options but that sounds like it is what I need.  I am not sure about the printers as I am joining the company this week.  I am not familiar with what they have implemented just yet.  I just know I need to lock down the Sys Admin's Account to only provide helpdesk support.
0
 
ZenVenkyArchitectCommented:
I believe you  need to create one OU and put this perticular admin in it and apply all the Group Policy permissions that you want to. If some point of a time you want to increase his privilages then you just need to move profile to Admin groups...
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now