Creating a restricted domain admin account

We have a temp worker who was hired to work on our help desk (Tier 2), and I need to find the best way to manage this account until he becomes a full-time worker who has passed background checks. I am looking for suggestions or advice on how to give him just enough rights to do his job, and avoid a possible security breach if things don't work out with him. I just don't feel it's a good idea to grant him default domain admin rights until we know he works out.

Thanks in advance
Robert GroverNetwork Systems AdministratorAsked:
Who is Participating?
 
Peter HutchisonSenior Network Systems SpecialistCommented:
Use the 'Delegate Control' feature in AD Users and Computers, to sepcify what rights to give this user.
Open AD Users and Computers, select the domain or OU you want to change, right click and select Delegate Control and follow the wizard to provide the required rights.
1
 
McKnifeCommented:
Robert, what will he be doing? Helping users at their workstations, or administering AD user objects as well? These two things are worlds apart.
For workstation support, please look at this concept for safe user support: https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html - flexible, safe, easy to setup.
1
 
Robert GroverNetwork Systems AdministratorAuthor Commented:
I want to keep him from playing around with anything beyond AD Users and Computers (DHCP, DNS, Etc.).
1
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
McKnifeCommented:
Please tell us what you want him to be doing, not what you want him not to be doing :-)
0
 
Robert GroverNetwork Systems AdministratorAuthor Commented:
I want him to be able to do common things like password changes, user management, adding PCs to the domain, etc. I knew about the delegate control, but I was wondering if I had to take him out of domain admins if I delegate?
0
 
Peter HutchisonSenior Network Systems SpecialistCommented:
Yes, you should remove him from Domain Admins before using Delegate Control for that user.
1
 
McKnifeCommented:
Sure, you will have to take him out of domain admins unless you want to start applying "deny"-entries at your AD object ACLs, which is not recommendable.
1
 
Robert GroverNetwork Systems AdministratorAuthor Commented:
Thanks for all of this info from everyone.
0
 
McKnifeCommented:
Robert just a note since your membership is relatively recent: you can split points between all helpful answers.  Maybe you didn't know that, just in case :-)
1
 
Robert GroverNetwork Systems AdministratorAuthor Commented:
Thanks for the advice on feedback. As a side note to the responses, I gave him delegate rights but he is not able to log into the server to manage user accounts. Does delegation take away local login rights on the DC? Should I have that user install the admin tools on his system? Thanks again for everyone's help.
0
 
McKnifeCommented:
Yes, install RSAT on his system. He should not need to logon to the server.
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.