How do I creat limited domain admin account

We have a new IT personnel. I want this person to have domaain admin rights with limited capability.
Goals:
I want this limited domain admin to add computers.
I want this limited domain admin to add/remove programs.
I do not want this admin to be able to use RDP or access any of my servers.

Please advise.
tomfontanillaAsked:
Who is Participating?
 
Mike KlineCommented:
See my answer here about delegating rights to add machines to the domain

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26574210.html

Do you want the person/group to be able to add remove programs to users workstations.   If that is the case use restricted groups and just give them admin rights to your workstations and nothing else. More on restricted groups here   http://www.frickelsoft.net/blog/?p=13

Thanks

Mike
0
 
Stelian StanNetwork AdministratorCommented:
0
 
remmett70Commented:
I would leave this new person as a simple domain user.

Create a group or add the user to an existing group that you can add to the local Admin group of Computers (not servers).  which would provide the ability to add programs to workstations.

Create or modify GPO to give the user permission to add computers to the domain.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
tomfontanillaAuthor Commented:
Thank you all for your response.

mkline71,

SO using, I have to create an OU. Under this OU create a group called "helpdesk".
Under this group, I have to add GP. On the GPO, I have to delegate rights.
 is this correct?
0
 
Mike KlineCommented:
Do you have a workstations OU? the GPO would be linked to that OU (the restricted groups GPO).  

Delegating rights to join machines can be done at the domain level.

Thanks

Mike
0
 
tomfontanillaAuthor Commented:
Yes I do. But as we grow, we may need to keep hiring an IT personnel within 2 years, atleast 2 to 3 person. So i am looking for long term.
0
 
Mike KlineCommented:
So that is why you delegate it to a group, call it "workstations admins" then when the new person comes you just add them to that group and they have the delegated rights.

Thanks

Mike
0
 
tomfontanillaAuthor Commented:
OK. I will try this.
0
 
tomfontanillaAuthor Commented:
mkline71,

OK. It looks like it's working. However, I did encounter some issues. I cannot add user on the local machine. Thoughts.

Thank you for your help.
0
 
Mike KlineCommented:
Did you use restricted groups to do that?
0
 
tomfontanillaAuthor Commented:
Got it. It's working. Change the secpol
0
 
tomfontanillaAuthor Commented:
Great responds time and answer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.