tomfontanilla
asked on
How do I creat limited domain admin account
We have a new IT personnel. I want this person to have domaain admin rights with limited capability.
Goals:
I want this limited domain admin to add computers.
I want this limited domain admin to add/remove programs.
I do not want this admin to be able to use RDP or access any of my servers.
Please advise.
Goals:
I want this limited domain admin to add computers.
I want this limited domain admin to add/remove programs.
I do not want this admin to be able to use RDP or access any of my servers.
Please advise.
Assign Delegate Permission to the AD account: http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
I would leave this new person as a simple domain user.
Create a group or add the user to an existing group that you can add to the local Admin group of Computers (not servers). which would provide the ability to add programs to workstations.
Create or modify GPO to give the user permission to add computers to the domain.
Create a group or add the user to an existing group that you can add to the local Admin group of Computers (not servers). which would provide the ability to add programs to workstations.
Create or modify GPO to give the user permission to add computers to the domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your response.
mkline71,
SO using, I have to create an OU. Under this OU create a group called "helpdesk".
Under this group, I have to add GP. On the GPO, I have to delegate rights.
is this correct?
mkline71,
SO using, I have to create an OU. Under this OU create a group called "helpdesk".
Under this group, I have to add GP. On the GPO, I have to delegate rights.
is this correct?
Do you have a workstations OU? the GPO would be linked to that OU (the restricted groups GPO).
Delegating rights to join machines can be done at the domain level.
Thanks
Mike
Delegating rights to join machines can be done at the domain level.
Thanks
Mike
ASKER
Yes I do. But as we grow, we may need to keep hiring an IT personnel within 2 years, atleast 2 to 3 person. So i am looking for long term.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. I will try this.
ASKER
mkline71,
OK. It looks like it's working. However, I did encounter some issues. I cannot add user on the local machine. Thoughts.
Thank you for your help.
OK. It looks like it's working. However, I did encounter some issues. I cannot add user on the local machine. Thoughts.
Thank you for your help.
Did you use restricted groups to do that?
ASKER
No, I follow exactly the instruction.
https://www.experts-exchange.com/questions/26574210/Add-computer-to-domain-permissions.html
http://www.frickelsoft.net/blog/?p=13
https://www.experts-exchange.com/questions/26574210/Add-computer-to-domain-permissions.html
http://www.frickelsoft.net/blog/?p=13
ASKER
Got it. It's working. Change the secpol
ASKER
Great responds time and answer.