Creating a restricted domain admin account

Robert Grover
Robert Grover used Ask the Experts™
on
We have a temp worker who was hired to work on our help desk (Tier 2), and I need to find the best way to manage this account until he becomes a full-time worker who has passed background checks. I am looking for suggestions or advice on how to give him just enough rights to do his job, and avoid a possible security breach if things don't work out with him. I just don't feel it's a good idea to grant him default domain admin rights until we know he works out.

Thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Robert, what will he be doing? Helping users at their workstations, or administering AD user objects as well? These two things are worlds apart.
For workstation support, please look at this concept for safe user support: https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html - flexible, safe, easy to setup.
Robert GroverNetwork Systems Administrator

Author

Commented:
I want to keep him from playing around with anything beyond AD Users and Computers (DHCP, DNS, Etc.).
Distinguished Expert 2018

Commented:
Please tell us what you want him to be doing, not what you want him not to be doing :-)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Senior Network Systems Specialist
Commented:
Use the 'Delegate Control' feature in AD Users and Computers, to sepcify what rights to give this user.
Open AD Users and Computers, select the domain or OU you want to change, right click and select Delegate Control and follow the wizard to provide the required rights.
Robert GroverNetwork Systems Administrator

Author

Commented:
I want him to be able to do common things like password changes, user management, adding PCs to the domain, etc. I knew about the delegate control, but I was wondering if I had to take him out of domain admins if I delegate?
Peter HutchisonSenior Network Systems Specialist

Commented:
Yes, you should remove him from Domain Admins before using Delegate Control for that user.
Distinguished Expert 2018

Commented:
Sure, you will have to take him out of domain admins unless you want to start applying "deny"-entries at your AD object ACLs, which is not recommendable.
Robert GroverNetwork Systems Administrator

Author

Commented:
Thanks for all of this info from everyone.
Distinguished Expert 2018

Commented:
Robert just a note since your membership is relatively recent: you can split points between all helpful answers.  Maybe you didn't know that, just in case :-)
Robert GroverNetwork Systems Administrator

Author

Commented:
Thanks for the advice on feedback. As a side note to the responses, I gave him delegate rights but he is not able to log into the server to manage user accounts. Does delegation take away local login rights on the DC? Should I have that user install the admin tools on his system? Thanks again for everyone's help.
Distinguished Expert 2018

Commented:
Yes, install RSAT on his system. He should not need to logon to the server.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial