locking out a user from SBS2011

Hi all.

We administer a client and we have an employee of that business who requires administrative access to two of the four servers.

Unfortunately this employee is a major pain in the rear - very much a loose cannon and a 'lets just delete that registry key and see what happens' type of person.

This person does not need access to the SBS2011 server and file server but seems to log on just to scare the hell out of me and to mess around.

My question is, can we restrict (Not able to log-on) this users access to the SBS2011 server and the file server (Server 2008 R2) even though they are network administrators ( they require this access for the other servers)

Thank you
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
There is no "Super User" group.

DO NOT give him "Domain Administrator" rights.

Only place him in the Administrators group of the servers he needs access to.

I would:
1. Give all users - ALL USERS - a domain USER account ONLY.
2. Create LOCAL accounts on the servers users need admin access to for those users - and place them in the local Administrators group of that server

Doing #2 forces them to use the admin account when necessary and doesn't permit them to EASILY and ALWAYS have admin rights.
Natty GregIn Theory (IT)Commented:
remove him from the administrator group and put him in the super user group, then grant him certain access permission that allows him to carry out his task, without admin rights.
David AtkinConnect With a Mentor IT ProfessionalCommented:
I'd agree with Lee here.  Such a person should not be allowed to log on the servers.  It will bite you in the ass at some point.

I am presuming he is not using the network admin account for his day to day activities?  I would give him an emergency admin account and change the password regularly to prevent him from just logging on whenever.
All Courses

From novice to tech pro — start learning today.