locking out a user from SBS2011

Hi all.

We administer a client and we have an employee of that business who requires administrative access to two of the four servers.

Unfortunately this employee is a major pain in the rear - very much a loose cannon and a 'lets just delete that registry key and see what happens' type of person.

This person does not need access to the SBS2011 server and file server but seems to log on just to scare the hell out of me and to mess around.

My question is, can we restrict (Not able to log-on) this users access to the SBS2011 server and the file server (Server 2008 R2) even though they are network administrators ( they require this access for the other servers)

Thank you
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Natty GregIn Theory (IT)Commented:
remove him from the administrator group and put him in the super user group, then grant him certain access permission that allows him to carry out his task, without admin rights.
Lee W, MVPTechnology and Business Process AdvisorCommented:
There is no "Super User" group.

DO NOT give him "Domain Administrator" rights.

Only place him in the Administrators group of the servers he needs access to.

I would:
1. Give all users - ALL USERS - a domain USER account ONLY.
2. Create LOCAL accounts on the servers users need admin access to for those users - and place them in the local Administrators group of that server

Doing #2 forces them to use the admin account when necessary and doesn't permit them to EASILY and ALWAYS have admin rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David AtkinTechnical DirectorCommented:
I'd agree with Lee here.  Such a person should not be allowed to log on the servers.  It will bite you in the ass at some point.

I am presuming he is not using the network admin account for his day to day activities?  I would give him an emergency admin account and change the password regularly to prevent him from just logging on whenever.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.