Windows Server Active Directory - Best practices to set up a help desk junior admin

Hi Guys,
I need to set up a help desk guy that works for me as a junior admin.  

What I need to know is what are the best practices to do this, specifically:

What groups should he be part of?
How to set him up with MMC tool running in his computer so that he only gets access to the domain users and computers snap in?

He must be able to add users, unlock accounts, manage remote desktops, etc.

Please advise.
cargexAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
You will want to create a security group in AD named something "Delegation - Junior Administrators". Put his account into that group.

Then on any OUs that you want him to have access to, right click on them and select delegate control. Go through that wizard and assign the security group you created the permissions you require.
Will SzymkowskiSenior Solution ArchitectCommented:
Providing RSAT to the users workstation they will have the visibility to view all of the OU Structures. However whatever you delegate will be the only objects that this account will be able to manage.

Delegate Unlock Password
https://support.microsoft.com/en-us/kb/294952

You may also want to see the following link as well for addtional details on AD Delegation
https://technet.microsoft.com/en-ca/library/cc778807(v=ws.10).aspx

I would agree that creating a new Security Group and applying the permissions to the group rather than the user would be preferred.

If you want this group to also have Remote Desktop admin rights you will need to setup the Restriced User GPO to add this group to Remote Desktop users or Local Admins on all of your workstations in your domain.

Active Directory Restricted Groups
http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cargexAuthor Commented:
Thank you very much Guys, this is exactly what I needed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.