Permissions Question in AD

I have a system admin that I want to lock down his permissions on the network.  His role is to support the end users and any issues they are having with their machines or applications.  He is also supposed to fix any printer issues that are needed.  Here is my dilema.  Currently he is a domain admin which I am going to remove him from that group.  He does not need that much control.  I just need to know which groups to put him in in order to manage the users, add comps to the domain, and handle printer problems.  Which groups should I use?
Who is Participating?
I believe you  need to create one OU and put this perticular admin in it and apply all the Group Policy permissions that you want to. If some point of a time you want to increase his privilages then you just need to move profile to Admin groups...
You can use Group Policy to give him local admin rights to all workstations:
mrwarejrAuthor Commented:
That is great to just give him local admin rights.  What about allowing him to add comps to the domain.  What group will allow him that without giving him too much control?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Mike KlineCommented:
Sounds like he will need an account that has local admin rights on the PCs.  You can use restricted groups to do that

Create a group call it something like "helpdesk admins" and add that to the local admin group.

Few ways to give him rights to add machines, I like user rights assignment but there are several methods

Are the printers on a print server or are these local printers.  The print operators group is an option


mrwarejrAuthor Commented:
Perfect I will look at those options but that sounds like it is what I need.  I am not sure about the printers as I am joining the company this week.  I am not familiar with what they have implemented just yet.  I just know I need to lock down the Sys Admin's Account to only provide helpdesk support.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.