I have a challenge with controlling administrative access to a Windows 2003 R2 Standard server running SP2 and operating as a DC. My company has recently opened an office over seas and we have installed a local site server running AD, DNS, DHCP as well as providing local file and print services to the office.
Since we have no local IT staff there we have an agreement with a local IT support firm to provide on site IT support as needed. I need to be able to allow this local IT company to have local admin access to the Windows server to manage print services, modify shares and perform server repairs and diagnostics. I do not want them to have full access to AD nor do I want them to have the ability to remotely log on to any other server in our domain. If this was a member server it would be simple but as this is a domain controller I am not sure how or even if it is possible to restrict them to only have admin access on the one domain controller.
I do know I can use delegated control in AD to restrict their access to AD tasks but I see no way to avoid giving them membership to the domain adminstrators group to allow logon and admin rights to the local server. Since domain admin access would over ride any delagation I need to know if there is a way to restrict them to only having admin access on one domain controller and limited AD access.