Restrict Domain Administrator to workstations only

Experts, I need to figure out a way to give our computer technician full access to our workstations. Some programs require a domain admins credentials to override the permissions to allow the installation of new programs.
Problem is...
By giving him a domain admin, he now can remote into any of our servers. How can I block his server access, but still allow him to have admin access over the workstations?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sorry, there's no program that requires domain admin credentials - that's simply impossible. If you administer the domain, use a domain admin. if you administer local programs, don't use a domain admin.
You should setup a support user and have that one added to the local admins group using the restricted groups feauteur e inside GPOs. Then apply that GPO to workstations only.
dheinmillerAuthor Commented:
McKnife, Thanks for the clarification, can you provide more details on exactly how to implement your recommendation?
Thank you!
1 setup a domain account "support1" with a secure password
2 create a GPO and use the restricted group as shown in the picture
ScreenshotApply that GPO to all client machines in question but NOT the servers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

dheinmillerAuthor Commented:
McKnife - You're the Best!!!!
I set it up, and it works exactly how we want.
I appreciate you taking the time to create the diagrams.
Thank you,
Lee W, MVPTechnology and Business Process AdvisorCommented:
I'll suggest a different approach.

1. Create a "Workstation Admins" user group in AD.  Add that group to the local administrator's group of all workstations (should be possible with Group Policy).  Then you can add your technicians to that group which will give them all the rights they need to install just about anything on the workstations but prevents them from logging in to the servers.
2. Same as 1, except create separate workstation admin accounts for each technician to maintain accountability and prevent potential issues if a technician ever does something stupid and gets themselves infected with a worm.  (To be clear, you still create a Workstations Admin group and assign it to the local workstations, but then, instead of using the technician's existing account (example, "John"), you create an account called "John-WA" which the technician must use for administration of the workstations - that John-WA account is the one that gets placed in the Workstation Admins group and is used by the technician).
To expand even further:

We use an altogether different concept for security reasons.
I might publish an article soon as a step-by-step.

The main idea is to use single admins, one per supported workstation, so that if one of those accounts gets compromised (using mimikatz or the like), the attacker would only gain admin access to one workstation and not all. Apart from that, the account is only activated for the time of the support incident, so it will be very hard to exploit that.
All is managed by a script and not complicated at all.

As soon as I have completed my article, I will link it here.
dheinmillerAuthor Commented:
Thanks Guys!
I look forward to seeing the article...
Lee W, MVPTechnology and Business Process AdvisorCommented:
McKnife's environment may well need that level of security.  If you do, fine.  Keep in mind that Security is balance - you cannot limit productivity too much - and what happens when the machine in question is off the domain for any reason or can't communicate with the machine that runs the script to activate the account.  My solutions don't fully address that issue either, but USUALLY, where you have a small number of technicians, they will have cached accounts making that aspect less important.
dheinmillerAuthor Commented:
Lee,  I will keep that in mind.
Thanks for the info!
dheinmillerAuthor Commented:
Thanks McKnife!
Very Interesting and useful article!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.