Link to home
Start Free TrialLog in
Avatar of finance_teacher
finance_teacher

asked on

IT employees -- granting ONLY "mdt" access ?

I am hiring an INTERN to just do MDT PC deployments and do not want to grant this users "Domain Admin" rights, but it looks like I need to based on testing via my Windows Server 2016 AD.

Any suggestions on how to allow above, without giving "Domain Admin" rights ?
Avatar of arnold
arnold
Flag of United States of America image
Please clarify what you are after, you can grant user rights such that they are local admin's on the device in addition to given the user a granular right to add systems to the domain.
Avatar of finance_teacher
finance_teacher

ASKER

I just want the intern to deploy 50+ new PCs via my existing MDT script during the attached step
MDT.jpg
ASKER CERTIFIED SOLUTION
Avatar of John
John
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of arnold
arnold
Flag of United States of America image
Are you pushing images onto existing systems?
Or a new setup?

Rights assignment to allow a sevurity group to join a computers to a domain,
Make the intern a member of this group.
https://www.prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/

You should have a sevurity group that is added to the local administrators group on the workstations, and make the intern user a member of this gròup.

The rights assignment ..
There are builtin groups like the server operators and others that evolved ...

Commonly, the simplest thing is to grant domain admin, for an employee it is one thing, but for intern, as your concern indicates and deploying a new system.