Active Directory limited Admin (server 2008)

Discussion in 'Windows Server' started by gdemos, Feb 6, 2014.

  1. gdemos

    gdemos MDL Novice

    Feb 5, 2014
    1
    0
    0
    I'm looking to create an account similar to a Domain Admin, but without access to domain controllers. In other words, this account will have full Administrator rights to any client machine in the domain, be able to add machines to the domain, but have only limited user rights to the servers. (it will better if it will have no access to the server remote etc)
    This account will be used by a person in an end-user tech support kind of role. They should have full access to client machines for installing drivers, applications, etc... but I don't want them on the servers.
    Could you help me please ?
     
  2. haileris

    haileris MDL Novice

    Jul 30, 2009
    8
    0
    0
    Drop the user account in the local workstations administrators group either manually or via software distribution (or look at restricted groups policy in AD but you need test out what you are doing if you are using this). You can give that account (or better practice a group of which that user is a member) the rights to add computers into the domain - I tried to post links but my post count is too low!