Creating a restricted domain admin account

We have a temp worker who was hired to work on our help desk (Tier 2), and I need to find the best way to manage this account until he becomes a full-time worker who has passed background checks. I am looking for suggestions or advice on how to give him just enough rights to do his job, and avoid a possible security breach if things don't work out with him. I just don't feel it's a good idea to grant him default domain admin rights until we know he works out.

Thanks in advance
Robert GroverNetwork Systems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robert, what will he be doing? Helping users at their workstations, or administering AD user objects as well? These two things are worlds apart.
For workstation support, please look at this concept for safe user support: - flexible, safe, easy to setup.
Robert GroverNetwork Systems AdministratorAuthor Commented:
I want to keep him from playing around with anything beyond AD Users and Computers (DHCP, DNS, Etc.).
Please tell us what you want him to be doing, not what you want him not to be doing :-)
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Peter HutchisonSenior Network Systems SpecialistCommented:
Use the 'Delegate Control' feature in AD Users and Computers, to sepcify what rights to give this user.
Open AD Users and Computers, select the domain or OU you want to change, right click and select Delegate Control and follow the wizard to provide the required rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert GroverNetwork Systems AdministratorAuthor Commented:
I want him to be able to do common things like password changes, user management, adding PCs to the domain, etc. I knew about the delegate control, but I was wondering if I had to take him out of domain admins if I delegate?
Peter HutchisonSenior Network Systems SpecialistCommented:
Yes, you should remove him from Domain Admins before using Delegate Control for that user.
Sure, you will have to take him out of domain admins unless you want to start applying "deny"-entries at your AD object ACLs, which is not recommendable.
Robert GroverNetwork Systems AdministratorAuthor Commented:
Thanks for all of this info from everyone.
Robert just a note since your membership is relatively recent: you can split points between all helpful answers.  Maybe you didn't know that, just in case :-)
Robert GroverNetwork Systems AdministratorAuthor Commented:
Thanks for the advice on feedback. As a side note to the responses, I gave him delegate rights but he is not able to log into the server to manage user accounts. Does delegation take away local login rights on the DC? Should I have that user install the admin tools on his system? Thanks again for everyone's help.
Yes, install RSAT on his system. He should not need to logon to the server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.